Lotus Domino HTTP Vulnerability

CVE 2001-0009

Impact

A remote attacker could read arbitrary files outside the web root directory or create a denial of service to the web server.

Background

The Lotus Domino family of servers includes a web server which implements the Hypertext Transfer Protocol (HTTP). The Lotus Domino HTTP server, like most servers, keeps all of the files which are allowed to be viewed by a web browser under a directory referred to as the web root.

The Problems


.nsf Folder Traversal

CVE 2001-0009
It is possible to view files outside the web root directory by submitting a request in which the path name begins with "/.nsf/../". It is possible to view any file on the server in this fasion, so long as the attacker knows the full path name of the file, and the file resides on the same disk partition as the web root.

Note that not all browsers accept path names of the form described above. So if you try to exploit this vulnerability using your web browser and it doesn't work, it does not necessarily mean your server is not vulnerable -- it could be the browser that prevented the attempt.


Multiple denial-of-service vulnerabilities

Multiple unrelated denial-of-service vulnerabilities in the processing of HTTP requests could allow a remote attacker to cause the web server to become unresponsive or to cause the web server process to crash.

Resolution

Upgrade to Lotus Domino version 5.0.7 or higher.

Where can I read more about this?

The .nsf vulnerability was reported by Windows IT Security.

The denial-of-service vulnerabilities were reported in Defcom Labs Advisory def-2001-20.