From: Alex Kloss (alexkloss@att.net)
Date: Tue Mar 07 2006 - 15:31:30 EST
From what I've gathered, it would appear that Lotus is aware that
"admin4.nsf" is accessible by unauthenticated users. A Google search
revealed that the L0pht team discovered a vulnerability in Domino that
lets unauthenticated users view admin4.nsf.
In addition to this, it also looks like you can change the file's data
and potentially alter the site's intended behavior. If the site hasn't
prohibited directory browsing, you should also be able to view the
directory with the command "http://www.example.com/?open" and view the
admin4.nsf file with "http://example.com/admin4.nsf" and get some useful
information from there.
Hope this helps.
On Mon, 06 Mar 2006 15:44:30 -0500, 3 shool <3shool@gmail.com> wrote:
> Hi,
>
> I'm doing an external blackbox PT on a mail server running Lotus
> Domino. The server OS is Windows 2000 and web server is Lotus Domino.
> It has following ports open:
>
> 80 - Lotus Domino httpd
> 443 - Lotus Domino httpd
> 1352 - Lotus Domino server
> 5631 - PCAnywhere
>
> During a manual assessment I discovered "admin4.nsf" on server,
> accessible without any sort of authentication. It is suppose to be
> the Administrator Request Database. From the name I suppose this
> should be something that shouldn't be visible to everyone. I don't
> have any experience in Lotus Domino. I read a couple of docs on
> Internet but couldn't get the real implication of such a
> vulnerability. I'm a little hesitant to perform any actions with the
> interface as it might disrupt some activities on the server and client
> might not like it.
>
> Is there anybody on the list who could guide me on the implication of
> this vulnerability and how to get a proper sense of it. What are the
> functionalities of 'admin4.nsf' and what damage could it do if an
> un-authenticated user has access to it.
>
> Looking forward to some enlightenment on this topic.
>
> Now I'm going to downlaod a Lotus client and see what I can do with
> the other open port "1352", looks like another hole from where I can
> find my way in.
>
> Thank you.
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you need to
> proactively
> protect your applications from hackers. Cenzic has the most comprehensive
> solutions to meet your application security penetration testing and
> vulnerability management needs. You have an option to go with a managed
> service (Cenzic ClickToSecure) or an enterprise software (Cenzic
> Hailstorm).
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm
> your
> results from other product. Contact us at request@cenzic.com
> ------------------------------------------------------------------------------
>
-- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:37 EDT