Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability
17 Feb. 2003
Lotus Domino and Notes together provide a featured enterprise collaboration system with Domino providing application server services. A buffer overflow in the server allows a remote attacker to cause it to execute arbitrary code.
Lotus Domino 6 suffers from a remotely exploitable buffer overrun vulnerability when performing a redirect operation. When building the 302 Redirect response, the server takes the client provided "Host" header and implants this value into the "Location" server header. By requesting certain documents or views in certain databases, the server can be forced to perform a redirect operation and by supplying an overly long string for the hostname, a buffer can be overflowed allowing an attacker to gain control of the Domino Web Services process. By default, these databases can be accessed by anonymous users. Any arbitrary code supplied will run in the context of the account running Domino allowing an attacker to gain control of the server.
IBM Lotus Notes and Domino Release 6.0.1 is now available and being marketed as the first maintenance release. IBM say if customers haven't already upgraded or migrated to Notes and Domino 6, now is the time to move and start reaping the benefits of this existing and highly praised release. Release 6.0.1 includes fixes to enhance the quality and reliability of the Notes and Domino 6 products. It does not however mention any security issues, and NGS would strongly advise to upgrade as soon as possible not to just top "reap the benefits" but to secure the server and data against possible attacks.