Lotus Domino url bypass

Type securityvulns
Reporter Securityvulns
Modified 2002-02-04T00:00:00


Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: Febrary 03, 2002 E-mail: gmaggiot@ciudad.com.ar

General Info

Problem Type : password protected url bypass Product : Lotus Domino Scope : Remote Risk : High


A security vulnerability has been found in the popular Lotus Domino Web server. Lotus Domino have files like webadmin.nsf, log.nsf and names.nfs, this
files are protected by password. I discover that is posible to bypass this password if you create a malformed url.

Notes Databases '.nsf' like webadmin.nsf or log.nsf are store in "lotus/domino/ data/" directory nas Notes Templatesi '.ntf' are store in the same place (Here is the goal).


I found a critical and max length.

assuming the buffer is: http://host.com/<buffer>/

Critical buffer length: is the minimun buffer length you need to bypass the passwd file.

normal url: http://host.com/log.nsf <---- Request for a passwd modify url: http://host.com/log.ntf<buff>.snf/ |-----217 -------|

In the case of log.nsf, <buff> is 217 - 12 = 205 '+' and the url will be:

http://host.com/log.ntf++++++++++++++++++++.nsf/ |-------- 205 -----|

If you write a buffer between 219 and 257(higher buffer), you bypass the passwd. modify url: http://host.com/log.ntf<buff>.snf/ |---219 to 257 --|