|
|
|
|
| |
| Due to problems handling Windows DOS devices, the Domino Server can be brought to show the physical location of the web root. |
| |
Credit:
The information has been provided by Peter Gr?ndl.
|
| |
Vulnerable systems:
- Lotus Domino version 5.0.9 on Windows 2000 Server
- Lotus Domino version 5.0.9a on Windows 2000 Server
- Older versions were not tested, but are likely to be vulnerable
Immune systems:
- Lotus Domino version 5.0.10
Lotus (on Windows) uses the function QueryDosDevice to check if a referenced file is a DOS device, and then proceeds to determine if the file exists or not using the before-mentioned access()-function.
If you feed e.g. com5 into the access() function, it will return 0, although the device is not enabled on the system. The function should have returned -1.
With this in mind, we can build an HTTP reference that will result in an attempt to parse the file server side, and generate error messages containing the physical web root.
The cgi parser, htcgibin.exe, has two built-in extension parsers that will yield the desired result (.java and .pl):
http://server/cgi-bin/com5.pl
http://server/cgi-bin/com5.java
Another, interesting, detail is that the .pl error message will also be shown to the user, if the user requests:
http://server/cgi-bin/com5<218x.>box
Where <218x.> means that you enter 218 periods (..........) . This line will be too long for the access() function, and it will check if another extension is possible. Since pl is one char shorter it is accepted.
Vendor response:
The vendor was contacted on 7 February, 2002. On 8 February, the vendor replied that the "htcgibin.exe" module would be redesigned in the next release of Domino (5.0.10). Late March, 2002 the vendor released the new version that corrected the issue.
Corrective action:
Upgrade to Lotus Domino V5.0.10, which can be downloaded here:
http://www.notes.net/qmrdown.nsf
|
|
|
|
|
|
|
