|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sebastien EXT-MICHAUD (Sebastien.EXT-MICHAUD
atofina.com)Date: Fri Dec 07 2001 - 07:23:10 CST
Tested on :
-----------
LOTUS DOMINO 5.0.5 (french) and LOTUS DOMINO 5.0.8 (french) with http service running.
OS : Windows NT 4.0 sp4
Description :
-------------
With a particular craft URL, an anonymous users can lock the databases accesses.
Result : Any notes users (even the administrators and the servers) can not access the targeted databases until the domino server will be restarted .
Except the fact that this bug induce a DoS on the targeted bases, it can perform a DoS on the entire Domino server, if certainty bases are locked. In this case there is no way to stop the Domino server task. The computer need to be phisically reboot.
This bug appears when the targeted database is not in-use by the server (so, names.nsf and admin4.nsf are not focused here) and requested through a web browser with the database name precess by a " /./ " in the requested URL.
Note :
---------------
We have warned Lotus on the 11/23/01, but we did not receive any answer from their part.
Exploit :
----------
http://server_adress/directory/./base_name.nsf
Example to lock the WEDADMIN.NSF database :
http://server/./webadmin.nsf
Example to lock the administrator mailbox : http://server/mail/./administrator.nsf
Sébastien MICHAUD --- Olivier ALLAIRE
I.T. Security engineer
CONIX
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]