Lotus Domino HTTP long URL DoS

1999-12-21T00:00:00
ID OSVDB:51
Type osvdb
Reporter OSVDB
Modified 1999-12-21T00:00:00

Description

Vulnerability Description

Lotus Domino HTTP Service contains a flaw that may allow a remote denial of service. The issue is triggered when a very long URL is called in the /cgi-bin directory for a non-existent page, and will result in loss of availability for the platform. A hard reboot is required to recover.

Technical Description

The Domino HTTP server CGI processing contains multiple vulnerabilities that were not addressed until the release of Domino R5.

Solution Description

Upgrade to version 5.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):

[From Lotus Support post on Bugtraq Mailing List]

Recommended Workarounds for Buffer Overflow Denial of Service Attack Against Lotus Domino Server The workaround is to create a URL redirect in the DOMCFG.NSF database that redirects any anomalous CGI requests to another URL. Since any non-existent CGI calls can cause this error, the following workaround is suggested.

  • If the customer does not require the use of any CGI's, then the entire /cgi-bin directory can be redirected to another URL (a Notes database, or html file). If any "/cgi-bin" requests are made, they will be directed to this URL and are not processed as CGI.

  • If the customer does require the use of CGI's the following setup will be required: 1) In the HTTP section of the Server Document, change the "CGI URL path" field to a different URL path. This does not require a change for the "CGI directory" field, such that the location on the hard drive for CGI's will remain the same. Only the URL which invokes CGI's will be altered.

Example: The default CGI URL path is "/cgi-bin"; change this to "/scripts/cgi-bin". Now, whenever a /cgi-bin request is made, it is recognized as a URL instead of a CGI.

2) Create a URL Redirect document in the DOMCFG.NSF for each specific CGI that resides on the server. Specify the incoming URL path as "/cgi-bin", and the redirection URL as "/scripts/cgi-bin".

Example: A customer has a CGI named "Xrun.cgi" in the domino/cgi-bin directory. Regularly, any requests to execute the CGI would come in as" http://hostname/cgi-bin/Xrun.cgi". This URL request is redirected to " http://hostname/scripts/cgi-bin/Xrun.cgi", where Domino will recognize it as a CGI, and run the script. In this case, the "/cgi-bin" URL itself is not recognized as a CGI request. It is only the redirection to "/scripts/cgi-bin" that will cause the Domino server to process it as a CGI script

At this point, any generic requests for CGI's using "/cgi-bin" will not be recognized as CGI. Instead, the Web server will search for a comparable filename, returning "Error 404- file not found" since it is not capable of finding such a URL. The customer can now customize the error message to indicate that the requested CGI does not reside on the server.

The above configuration is designed to accomplish the following:

  • Since the current Domino 4.6 Server code may crash any time a non-existent CGI is requested, the potential to run non-existent CGI's must be removed. By this configuration anomalous CGI requests are not recognized as CGI scripts, and Domino will not attempt to run them.

  • The CGI URL path is altered so that only CGI's using the URL "/scripts/cgi-bin..." will be recognized as CGI's. The administrator then creates a URL redirect document for each present CGI that redirects any valid URL requests using the syntax "/cgi-bin..." to the URL "/scripts/cgi-bin...". The Domino Server will then invoke the CGI script. This will avoid the Domino Server attempting to run a CGI that is not present on the server, running only valid CGI's.

  • Since the URL redirect does not display the redirected URL to the browser, end users need not ever know the true URL path to invoke CGI scripts. This further protects the site from unscrupulous web clients deliberately attempting to crash the server by requesting to invoke a non-existent URL. Such a user would need to know the exact URL path to issue for the server to recognize it is a request for a CGI, and would have no way to determine this URL under a secure site.

Short Description

Lotus Domino HTTP Service contains a flaw that may allow a remote denial of service. The issue is triggered when a very long URL is called in the /cgi-bin directory for a non-existent page, and will result in loss of availability for the platform. A hard reboot is required to recover.

References:

Vendor Specific Solution URL: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0476.html Related OSVDB ID: 3327 Related OSVDB ID: 50 Nessus Plugin ID:10059 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0404.html ISS X-Force ID: 4391 CVE-2000-0023 Bugtraq ID: 881