OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ben Greenbaum (bgreenbaumSECURITYFOCUS.COM)
Date: Wed Jan 10 2001 - 11:04:30 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Summary of responses to .nsf/../ issue:

    ---------------------------
    From: tschweikleFIDUCIA.de

    Domino is installed in D:\programme\notes, the data-directory
    is D:\programme\notes\data (an NT4 box with Domino R4.6.7):

    with http://myserver/.nsf/../Programme/notes/data/notes.ini
    I might therefore reach notes.ini. But:

    Error 404
    Not found - file doesn't exist or is read protected [even tried multi]

    My second box is Linux with Domino R5.0.6:

    installation path is: /opt/lotus/notes. Data is in /local/notesdata
    These are different partitions.

    Trying

    http://myserver2/.nsf/../local/notesdata/notes.ini or
    http://myserver2/.nsf/../notesdata/notes.ini or
    http://myserver2/.nsf/../notes.ini or
    http://myserver2/.nsf/../opt/lotus/notes/license.txt
    ...
    http://myserver2/.nsf/../opt/license.txt

    all give the same error:

    Error 404
    Not found - file doesn't exist or is read protected [even tried multi]

    Thus I couldn't confirm your vulnerability. But on the other hand,
    both servers are really restrictive in what is allowed to do for
    domino. Maybe the error message should read: "... does not have
    permission to read this file."

    But remarkably there are no log entries telling me one tried to
    access an normally inaccessible file. Apache tells me about such
    an attempt!

    ---------------------------------
    From: Karl_Rademacheragl.aon.com
         I've been unable to reproduce this on a machine under my control. It just
    strips out the .nsf/../ portion of the url and returns the standard "404 File
    not found" message. Did you experience anything like that (in other words, am I
    doing something wrong?). Here are the particulars of the server in question:

    NT4 SP6 with TCP security patches
    All forms of NT networking un-installed except the IP stack.
    Domino R5.05 running on a non-system partition
    HTTP server forces an ssl connect, user authentication and doesn't allow
    directory browsing.

         I'm thinking that something to do with the directory browsing restriction
    is causing the .nsf/../ to be stripped out of the GET request by the server, but
    I could be wrong. Still, I don't get the "URL Containing .. Forbidden" message.
    Any insights?

    ----------------------------------------
    From: Felix Grushevskiy <filviaduk.net>

    Version 5.06 (nt4sp6a) is also affected by this