Lotus Domino Web Server R4 on AIX (other platforms not tested) allows remote users to download files in the web root regardless of ECL's or permissions.
e8fa238c58346a1f2b8e39af9e91b98c924e12b393308944758bac278c369ecd
Lotus Domino R4 Web Server -- File Retreival Vulnerability
Digisec.org Security Advisory
Systems affected:
Lotus Domino R4 (Versions 4.x) AIX - have not tested other
versions/platforms
Risk: High
Date: July 2, 2002
Legal Notice:
This advisory is Copyright (c) 2002 Digisec.org
This advisory may be distributed unmodified, however, you may not modify
and distribute (in parts or in it's entirety) without express written
permission.
Disclaimer:
Use this information at your own risk. Digisec.org is not liable for
any damages caused by direct or indirect use of the information or
functionality provided by this advisory. Digisec.org bears no
responsibility for content or misuse of this advisory or any derivatives
thereof.
Description:
Lotus Domino Web Server under AIX (have not tested other versions)
allows downloading of files in the web root directory (rather than
referring to the ECLs within the database or the permissions on the file
itself). This does not work on the standard web scripts included in
Domino such as admin4.nsf, names.nsf, domcfg.nsf, etc. However, if
there are other files or custom-made .nsf databases in the server's web
root directory, they may be downloaded by appending a "?" at the end of
the file name.
Our understanding of this problem is based on the way that Lotus handles
documents in the web root directory. When a request is made to a file,
the addition of the "?" on the end of the file name acts as a wildcard.
The server doesn't know how to handle this character and instead just
delivers the entire file rather than trying to parse the file through
the web handler. This was tested with other various file types (.tar,
.htm, .zip, etc.) all with success.
Exploit Information:
http://dominoserver/nameoffile.ext? will get the file "nameoffile.ext".
Vendor status:
Lotus was notified about the issue. They noted that this issue had
never been reported and suggested a workaround that appears to correct
the issue. Their suggestion was to create a separate directory for the
web site files (don't put them in the web root created during
installation). Also, the permissions on these files should be
appropriately applied. This vulnerability only appears to work on files
within the web root directory not in other folders. This vulnerability
is not an issue in R5 (which was tested by Lotus).
Acknowledgements:
Thanks to the following for your support and insight: Lotus,
packetphobia, rabidpacketmonky and j0hnn135.