Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The severity level for this case is indicated by the colored dot beside the link to this tutorial on the previous page.
Lotus Notes, the client for Lotus Domino servers, features messaging, calendaring, and scheduling capabilities. iNotes Web Access, an alternative to the Notes client, allows access to Domino services through a web browser.
A Lotus Domino database contains documents which are organized into views. A view can be thought of as a pointer to a specific part of a document. Access control lists can be applied at any of the three levels: on a view, on a document, or on the whole database.
3/18/03
CAN 2003-0123
The Web Retriever program/task is responsible for retrieving web pages on
behalf of Notes users who want to access the web via their Notes server.
The Web Retriever program can be crashed by a hostile remote web server
issuing an overly long (~6000 bytes) HTTP status message (e.g.,
HTTP/1.1 200 Ax6000[CR][LF][CR][LF]). If the Web Retriever is running as
a server task, the crash will cause a denial of service on the server.
If the Web Retriever is running locally on a client, the crash will
bring down the Notes client with it. Even smaller status message lengths
may still corrupt the heap, but not result in a crash until the corrupted
portions of the heap are executed.
3/26/03
CAN 2003-0179
There is a buffer overflow condition in both Lotus Notes
clients and Domino Servers in a backend COM class method
that handles controls. A remote attacker could execute
arbitrary commands by passing a long, specially-crafted
value to the InitializeUsingNotesUserName
method of the Lotus Domino Session ActiveX Control via
an e-mail message or malicious web page. However, this
ActiveX control is just one method of exploitation, and
is not the source of the vulnerability itself.
Lotus Notes and Domino 5.0.12 and earlier, and 6.0 through 6.0.1 without Critical Fix 1 are affected by this vulnerability.
2/21/03
CAN 2003-0178
When a web server receives a request for a web page, it
returns a three-digit response code which indicates the
status of the page, such as "200 OK" or "404 Not Found".
One possible response code is "302 Redirect", which indicates
that the page can be found at a different location. In
Lotus Domino HTTP server, Redirect responses include a
Location header which is copied from the Host
header sent by the client. Due to insufficient bounds checking
on the Location header,
a remote attacker could execute arbitrary
commands by requesting certain documents and views which
are known to result in a Redirect response, and including
a long, specially crafted Host header.
Lotus Domino 6.0 and possibly earlier versions are affected by this vulnerability.
2/21/03
CAN 2003-0178
A buffer overflow condition in iNotes 6.0 could allow a remote
attacker to execute arbitrary commands by sending a request
containing a long, specially crafted value for the
s_ViewName/Foldername options of the
PresetFields parameter.
11/6/01
When an administrator applies an access control list to
a view, he or she is often mislead into believing that
the access control protects the document from being viewed
by unauthorized users. However, the document can also
be accessed from any other view, allowing an attacker to
bypass the access control list placed on the given view.
11/6/01
CVE 2001-0846
Some Lotus databases are derived from template files, which
have the filename extension .ntf. One template
file in particular, webadmin.ntf, is intended
for use by the Web Administrator. Normally, template files are
not accessible by web users, because the .ntf
extension prevents the web server from finding the file in the
database directory. However, the template file can also be
requested by its ReplicaID, which is a 16 digit hexadecimal
number which is used to track concurrent copies of the database
over different systems. The ReplicaID of webadmin.ntf
is the same across all systems, thus allowing any web user who
knows the ReplicaID to access the Web Administrator template.
This could allow an unauthorized user to view arbitrary text
files or enumerate databases.
11/6/01
CAN 2001-0847
A Lotus database administrator can create a navigator
which allows a user to navigate the documents in a database.
A default navigator, called $defaultNav, is
also provided with each new database. This default navigator
exposes a list of database views, which could allow a remote
attacker to gain sensitive information.
Note that not all browsers accept path names of the form described above. So if you try to exploit this vulnerability using your web browser and it doesn't work, it does not necessarily mean your server is not vulnerable -- it could be the browser that prevented the attempt.
CAN 2001-0600
CAN 2001-0601
CAN 2001-0602
CAN 2001-0603
CAN 2001-0604
CVE 2001-0939
CAN 2003-0180
CAN 2003-0181
Multiple unrelated denial-of-service vulnerabilities in
the processing of HTTP requests could allow
a remote attacker to cause the web server to become
unresponsive or to cause the web server process to crash.
7/12/02
CAN 2002-1010
Lotus Domino version 4 allows a remote attacker to download
arbitrary files from the web root directory by appending a
question mark to the file name. This vulnerability
cannot be used to access standard Domino web scripts (such
as admin4.nsf, names.nsf,
and domcfg.nsf) or directories other than
the web root, but it can be used to access custom-made
.nsf databases or any other files in the web
root which should
not be accessible by outside users. Lotus Domino version 5
is not affected by this vulnerability.
If iNotes is in use, also upgrade to iNotes accordingly. If any access control lists are applied to database views, ensure that the documents in those views are also protected by access control lists. Create a redirection mapping to prevent access to $defaultNav files. (Keep in mind that every variant of $defaultNav, including hex-encoded and mixed-case, must be redirected. See NISR29102001B for examples.)
Users of Lotus Domino version 4 should create a separate directory for web site files other than the web root created during installation, and apply appropriate permissions for these files.
The Web Retriever HTTP status buffer overflow was reported in Rapid 7 Advisory R7-0011.
The COM Object Control Handler buffer overflow was reported in a Lotus Technote and in NGSSoftware advisory #NISR17022003e.
The buffer overflows in the Location header and in iNotes was reported in NGSSoftware advisories #NISR17022003a and #NISR17022003b, respectively.
The .nsf vulnerability was reported by Windows IT Security.
The denial-of-service vulnerabilities were reported in Defcom Labs Advisory def-2001-20, VulnWatch, and NGSSoftware advisory #NISR17022003d.
The access control list bypass, web administrator template, and default navigator vulnerabilities were reported by Next Generation Security Software in advisories NISR29102001C, NISR29102001B, and NISR29102001A, respectively.
The file retrieval vulnerability in Lotus Domino version 4 was posted to VulnWatch.