Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2022 Tenable Network Security, Inc.DOMINO_DB_NO_PASSWORD.NASL
HistoryOct 09, 2015 - 12:00 a.m.

IBM Domino ZMerge Database Security Bypass

2015-10-0900:00:00
This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.
www.tenable.com
1314

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.015

Percentile

87.1%

JSON

The version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is affected by a security bypass vulnerability due to insufficient access control list (ACL) settings on the administration databases for ZMerge. An unauthenticated, remote attacker can exploit this issue to disclose configuration information about the IBM Domino server installation or possibly to gain manager level access.

Note that this plugin may report Domino databases without ZMerge, if the databases are found to be non-password protected.

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(86322);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/10/06");

  script_cve_id("CVE-2002-0664");
  script_bugtraq_id(5101);

  script_name(english:"IBM Domino ZMerge Database Security Bypass");

  script_set_attribute(attribute:"synopsis", value:
"A remote database can be accessed without credentials.");
  script_set_attribute(attribute:"description", value:
"The version of IBM Domino (formerly IBM Lotus Domino) running on the
remote host is affected by a security bypass vulnerability due to
insufficient access control list (ACL) settings on the administration
databases for ZMerge. An unauthenticated, remote attacker can exploit
this issue to disclose configuration information about the IBM Domino
server installation or possibly to gain manager level access.

Note that this plugin may report Domino databases without ZMerge, if 
the databases are found to be non-password protected.");
  # https://www.ibm.com/developerworks/lotus/library/dominowebserver-security/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?06aa671b");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Sep/51");
  script_set_attribute(attribute:"solution", value:
"Verify all of the ACLs for the available databases.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute: "cvss_score_source", value: "CVE-2002-0664");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/09");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_keys("www/domino");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80);

get_kb_item_or_exit("www/domino");

if (!thorough_tests)
{
  dbs = make_list(
    "admin4.nsf",
    "log.nsf",
    "names.nsf",
    "reports.nsf",
    "webadmin.nsf"
  );
}

else
{
  dbs = make_list(
    "account.nsf",
    "accounts.nsf",
    "admin4.nsf",
    "agentrunner.nsf",
    "AgentRunner.nsf",
    "archive/a_domlog.nsf",
    "archive/l_domlog.nsf",
    "bookmark.nsf",
    "books.nsf",
    "busytime.nsf",
    "calendar.nsf",
    "catalog.nsf",
    "cersvr.nsf",
    "certlog.nsf",
    "certsrv.nsf",
    "collect4.nsf",
    "cpa.nsf",
    "database.nsf",
    "db.nsf",
    "dbdirman.nsf",
    "decsadm.nsf",
    "default.nsf",
    "doladmin.nsf",
    "domcfg.nsf",
    "domguide.nsf",
    "domino.nsf",
    "domlog.nsf",
    "events4.nsf",
    "group.nsf",
    "groups.nsf",
    "hidden.nsf",
    "iNotes/Forms5.nsf",
    "lccon.nsf",
    "ldap.nsf",
    "lndfr.nsf",
    "log.nsf",
    "loga4.nsf",
    "mab.nsf",
    "mail.box",
    "mail/admin.nsf",
    "mailw46.nsf",
    "mtabtbls.nsf",
    "name.nsf",
    "names.nsf",
    "nntppost.nsf",
    "notes.nsf",
    "ntsync4.nsf",
    "private.nsf",
    "products.nsf",
    "proghelp/KBCCV11.nsf",
    "public.nsf",
    "qstart.nsf",
    "quickstart/qstart50.nsf",
    "quickstart/wwsample.nsf",
    "reports.nsf",
    "sample/faqw46.nsf",
    "sample/framew46.nsf",
    "secret.nsf",
    "secure.nsf",
    "setup.nsf",
    "smtpibwq.nsf",
    "smtpobwq.nsf",
    "smtptbls.nsf",
    "software.nsf",
    "statmail.nsf",
    "statrep.nsf",
    "statsrep.nsf",
    "stats675.nsf",
    "user.nsf",
    "users.nsf",
    "webadmin.nsf",
    "welcome.nsf",
    "zmevladm.nsf"
  );
}

report_dbs = "";

foreach db (dbs)
{
  res = http_send_recv3(
    method : "GET",
    item   : "/" + db,
    port   : port,
    exit_on_fail : TRUE
  );

  if (
    "Please identify yourself" >< res[2] ||
    'type="password"' >< res[2] ||
    preg(pattern:"<title>server login</title>", string:res[2], icase:TRUE, multiline:TRUE) ||
    '_QuickPlaceLoginForm' >< res[2] ||
    "WWW-Authenticate" >< res[1]
  )
  {
     set_kb_item(name:'www/domino/'+port+'/db/password_protected', value:db);
  }
  else if (res[0] =~ "200 OK" && (db >< res[2]))
  {
    set_kb_item(name:'www/domino/' + port + '/db/anonymous_access', value:db);
    report_dbs += "  " + build_url(qs:"/"+db, port:port) + '\n';
  }
}

if (report_dbs)
{
  report =
    '\nNessus found the following IBM Domino databases that can be accessed' +
    '\nwithout credentials :\n' +
    '\n' + report_dbs + '\n';

  security_report_v4(
    port: port,
    severity: SECURITY_HOLE,
    extra: report
  );
}
else audit(AUDIT_LISTEN_NOT_VULN, "IBM Domino", port);

Related

cvelist 1
cve 1
nessus 1
nvd 1
openvas 1
cvelist
cvelist
CVE-2002-0664
2002-09-10 04:00:00
cve
cve
CVE-2002-0664
2002-10-04 04:00:00
nessus
nessus
IBM Lotus Domino Administration Databases Anonymous Access
2001-03-08 00:00:00
nvd
nvd
CVE-2002-0664
2002-10-04 04:00:00
openvas
openvas
HCL / IBM / Lotus Domino Administration Databases Accessible (HTTP)
2005-11-03 00:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.015

Percentile

87.1%

JSON
Related for DOMINO_DB_NO_PASSWORD.NASL
cvelist1cve1nessus1nvd1openvas1