Lotus Domino HTTP contains three security vulnerabilities (CGI and Denial-of-Service)
22 Dec. 1999
Summary
Lotus Domino HTTP server can be used as a traditional Web server, with static HTML documents and CGI-Bin scripts handling. These features are turned on by default, and the /cgi-bin virtual path, is mapped to \domino\cgi-bin directory. Lotus Domino HTTP server contains three security vulnerabilities, two CGI related and one a DoS attack.
Exposing configuration of local file system
When requesting http://server/cgi-bin/blabla, the HTTP response is
Error 500
Bad script request -- no variation of 'c:/notes/data/domino/cgi-bin/blabla' is executable
This can be used to obtain OS type and installation details.
Anonymous access is permitted
Turning off anonymous access in server document of Notes Name & Address Book has no effect for the cgi-bin directory: anonymous access is still permitted. The same applies to "SSL redirection of entire server": cgi-bin can still be accessed via HTTP port.
Denial of Service attack
Handling of response to bad requests (like the above example) is vulnerable to a buffer overflow: by sending a large URL relative to cgi-bin, HTTP task crashes immediately, and stops servicing requests (including standard Notes database access by HTTP). If Domino is launched as a NT service, the service will not stop completely; you need to kill remaining processes (using kill.exe in Reskit) or reboot Windows NT.
Not all requests crash the server, but sending: GET /cgi-bin/... (800 .) aaaa (4000 a) HTTP/1.0
Kills the HTTP executable every time.
If you don't use cgi-bin on your Domino server, change the cgi-bin virtual directory in the server document to something hard to guess. Leaving field empty has no effect.
