扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
| BUGTRAQ ID | 严重程度 | CVE ID | 发布日期 | 更新日期 |
| 4022 | 高 | 2002-02-07 | 2002-02-07 | |
| 错误类型 | 利用方式 | 威胁类型 | ||
| 边界检查错误 | 服务器模式 | 权限提升 | ||
| 所影响的操作系统和应用程序 | ||||
| Lotus Domino 5.0 Lotus Domino 5.0.1 - HP HP-UX 9.9 - IBM AIX 4.3 - IBM OS/2 4.5Warp - IBM OS/390 V2R9 - Linux kernel 2.3 - Microsoft Windows 2000 Workstation - Microsoft Windows NT 4.0 - Sun Solaris 8.0 Lotus Domino 5.0.2 - HP HP-UX 9.9 - IBM AIX 4.3 - IBM OS/2 4.5Warp - IBM OS/390 V2R9 - Linux kernel 2.3 - Microsoft Windows 2000 Workstation - Microsoft Windows NT 4.0 - Sun Solaris 8.0 Lotus Domino 5.0.3 - HP HP-UX 9.9 - IBM AIX 4.3 - IBM OS/2 4.5Warp - IBM OS/390 V2R9 - Linux kernel 2.3 - Microsoft Windows 2000 Workstation - Microsoft Windows NT 4.0 - Sun Solaris 8.0 Lotus Domino 5.0.4 - HP HP-UX 9.9 - IBM AIX 4.3 - IBM OS/2 4.5Warp - IBM OS/390 V2R9 - Linux kernel 2.3 - Microsoft Windows 2000 Workstation - Microsoft Windows NT 4.0 - Sun Solaris 8.0 Lotus Domino 5.0.5 - HP HP-UX 9.9 - IBM AIX 4.3 - IBM OS/2 4.5Warp - IBM OS/390 V2R9 - Linux kernel 2.3 - Microsoft Windows 2000 Workstation - Microsoft Windows NT 4.0 - Sun Solaris 8.0 Lotus Domino 5.0.6 - HP HP-UX 9.9 - IBM AIX 4.3 - IBM OS/2 4.5Warp - IBM OS/390 V2R9 - Linux kernel 2.3 - Microsoft Windows 2000 Workstation - Microsoft Windows 2000 Workstation SP1 - Microsoft Windows 2000 Workstation SP2 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0SP1 - Microsoft Windows NT 4.0SP2 - Microsoft Windows NT 4.0SP3 - Microsoft Windows NT 4.0SP4 - Microsoft Windows NT 4.0SP5 - Microsoft Windows NT 4.0SP6 - Microsoft Windows NT 4.0SP6a - Sun Solaris 8.0 Lotus Domino 5.0.7a Lotus Domino 5.0.7 - HP HP-UX 9.9 - IBM AIX 4.3 - IBM OS/2 4.5Warp - IBM OS/390 V2R9 - Linux kernel 2.3 - Microsoft Windows 2000 Workstation - Microsoft Windows NT 4.0 - Sun Solaris 8.0 Lotus Domino 5.0.8 Lotus Domino 5.0.9a Lotus Domino 5.0.9 | ||||
| 详细描述 | ||||
| Lotus Domino Web 服务程序中存在一个安全漏洞,Lotus Domino包含如webadmin.nsf, log.nsf 和 names.nfs等文件,这些文件使用密码保护,如果你建立特殊的URL可以绕过这密码的保护机制。 like webadmin.nsf 或者 log.nsf 存储在"lotus/domino/data/" 中作为Notes模板文件使用。 | ||||
| 测试代码 | ||||
| I found a critical and max length. assuming the buffer is: http://host.com/<buffer>/ Critical buffer length: is the minimun buffer length you need to bypass the passwd file. normal url: http://host.com/log.nsf <---- Request for a passwd modify url: http://host.com/log.ntf<buff>.snf/ |-----217 -------| In the case of log.nsf, <buff> is 217 - 12 = 205 '+' and the url will be: http://host.com/log.ntf++++++++++++++++++++.nsf/ |-------- 205 -----| If you write a buffer between 219 and 257(higher buffer), you bypass the passwd. modify url: http://host.com/log.ntf<buff>.snf/ |---219 to 257 --| | ||||
| 解决方案 | ||||
| 建议限制对这些文件的访问或者删除这些文档。 | ||||
| 发现者 | ||||
| Gabriel A. Maggiotti <gmaggiot@ciudad.com.ar>. 参考:http://www.securityfocus.com/archive/1/253835 http://www.securityfocus.com/archive/1/254003 http://www.nextgenss.com/papers/hpldws.pdf 相关主页:http://www.lotus.com/home.nsf/welcome/domino | ||||
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
京公网安备 11010802021500号