Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

domino.r4.txt

🗓️ 03 Jul 2002 00:00:00Reported by Andrew TType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

Lotus Domino R4 Web Server allows unauthorized file retrieval exposing high-risk vulnerabilities.

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Lotus Domino R4 Web Server -- File Retreival Vulnerability  
  
  
Digisec.org Security Advisory  
  
  
  
Systems affected:  
  
  
  
Lotus Domino R4 (Versions 4.x) AIX - have not tested other   
versions/platforms  
  
  
  
Risk: High  
  
Date: July 2, 2002  
  
  
  
Legal Notice:  
  
  
  
This advisory is Copyright (c) 2002 Digisec.org   
  
  
  
This advisory may be distributed unmodified, however, you may not modify   
and distribute (in parts or in it's entirety) without express written   
permission.  
  
  
  
Disclaimer:  
  
  
  
Use this information at your own risk. Digisec.org is not liable for   
any damages caused by direct or indirect use of the information or   
functionality provided by this advisory. Digisec.org bears no   
responsibility for content or misuse of this advisory or any derivatives   
thereof.  
  
  
  
Description:  
  
  
  
Lotus Domino Web Server under AIX (have not tested other versions)   
allows downloading of files in the web root directory (rather than   
referring to the ECLs within the database or the permissions on the file   
itself). This does not work on the standard web scripts included in   
Domino such as admin4.nsf, names.nsf, domcfg.nsf, etc. However, if   
there are other files or custom-made .nsf databases in the server's web   
root directory, they may be downloaded by appending a "?" at the end of   
the file name.  
  
  
  
Our understanding of this problem is based on the way that Lotus handles   
documents in the web root directory. When a request is made to a file,   
the addition of the "?" on the end of the file name acts as a wildcard.   
The server doesn't know how to handle this character and instead just   
delivers the entire file rather than trying to parse the file through   
the web handler. This was tested with other various file types (.tar,   
.htm, .zip, etc.) all with success.  
  
  
  
Exploit Information:  
  
  
  
http://dominoserver/nameoffile.ext? will get the file "nameoffile.ext".  
  
  
  
  
  
Vendor status:  
  
Lotus was notified about the issue. They noted that this issue had   
never been reported and suggested a workaround that appears to correct   
the issue. Their suggestion was to create a separate directory for the   
web site files (don't put them in the web root created during   
installation). Also, the permissions on these files should be   
appropriately applied. This vulnerability only appears to work on files   
within the web root directory not in other folders. This vulnerability   
is not an issue in R5 (which was tested by Lotus).  
  
  
  
Acknowledgements:  
  
  
  
Thanks to the following for your support and insight: Lotus,   
packetphobia, rabidpacketmonky and j0hnn135.  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
03 Jul 2002 00:00Current
7.4High risk
Vulners AI Score7.4
lotus domino r4web serverfile retrievalaixhigh risksecurity advisoryvulnerability
36
.json
Report