linux, säkerhet

90591 2003-02-12  23:59  /32 rader/ Faz <faz@attbi.com>
Importerad: 2003-02-12  23:59  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3489>
Ärende: Lotus Domino DOT Bug Allows for Source Code Viewing
------------------------------------------------------------
Through some testing against some Lotus Domino web servers (verified
in version 5 & 6), if you append a period to the end of a non-default
Lotus file type (non .NSF, .NTF, etc) via your browser URL request,
you will be prompted to download the file. This has a possible
repercussion of the ability to view the source code for such add-in
web handlers such as Crystal Reports, Perl scripts and others. In
some cases (such as Crystal Reports) where such file types are
server-side run (similar to .ASP), they may reference additional
INCLUDE files that contain logins and passwords. An attacker can
easily use this technique to view the server-side source code and
additional INCLUDE files to obtain private information.

For example:
http://some.dominoserver.com/reports/secretreport.csp. <-- End the URL with
a <period>
http://some.dominoserver.com/cgi-bin/myscript.pl . <-- notice the
<space><period>
http://some.dominoserver.com/cgi-bin/runme.exe%20. <-- combination of hex
<space> and an ASCII period
http://some.dominoserver.com/reports/secretreport.csp%20%2E <-- All hex
values
will return the actual .CSP source code instead of the compiled report. This
seems to work for all types of non-native Lotus Domino file types. A short
term workaround is to create Domino redirection filters for the various
non-native file types and ending them with the combinations above, but some
creative formatting of the URL can easily bypass these redirection filters.

Lotus has been notified, and during the initial report, was not too
concerned about this. It has been passed to development for further
consideration. Maybe getting the word out about this will apply some
pressure to Lotus to issue a fix.
(90591) /Faz <faz@attbi.com>/-------------(Ombruten)
90707 2003-02-13  23:56  /34 rader/  <JRedmond@ymcastlouis.org>
Importerad: 2003-02-13  23:56  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3506>
Ärende: Re: Lotus Domino DOT Bug Allows for Source Code Viewing
------------------------------------------------------------

"Faz" <faz@attbi.com> wrote:
>  Through some testing against some Lotus Domino web servers (verified in
version 5 & 6), if you append a period to the end of a non-default Lotus
file type (non .NSF, .NTF, etc) via your browser URL request, you will be
prompted to download the file.

I have been unable to recreate this on Domino 5.0.11, running on
OS/400 V5R1.  I get a 404 instead, whether I use MSIE or Mozilla or
Opera, whether the trailing dot is present or not, and whether my
connection is anonymous or name-and-password authenticated.

The difference here probably lies in the "Does this server use IIS?"
option on the Domino Server Document (as maintained by the server's
administrator).  If checked, IIS handles all HTTP requests first.  If
this option is enabled, and the request is for non-Domino traffic
(such as the examples listed in the original message), Domino does
not receive the request.  I have this option disabled on the system I
tested; that particular operating system is not blessed with IIS.

Please check Microsoft's knowledge base and this list's archives to
see if this is another IIS bug.  If that's the case, then it may be
why Lotus is "not too concerned about this" - it's nothing they can
fix.

************************************
James Redmond, Domino Administrator
YMCA of Greater St. Louis
+1-314-436-1177 ext. 326
FAX +1-314-436-1901
jredmond@ymcastlouis.org
************************************
(90707) / <JRedmond@ymcastlouis.org>/-----(Ombruten)