Domino File Reading

From: marcus.chain@hushmail.com
Date: 12/04/01


From: marcus.chain@hushmail.com
To: pen-test@securityfocus.com
Date: Tue,  4 Dec 2001 03:04:15 -0800


-----BEGIN PGP SIGNED MESSAGE-----

Morning all,

Looking at a Domino 5.0.8 on Win32 server atm, the ReplicaID of the web admin template file can be used and using the buffer truncation +++++ trick, I can see the admin page and know that I am the "Anonymous" user. When I try to request a file using http://example.com/[ReplicaID]/OSTextFile_Body?ReadForm&Filename="c:\boot.ini"OSTextFile_Body?OpenNavigator I get a little JavaScript "alert" pop-up box statement that "Rich Text item Body already exists". I get the same sort of thing if I do the http://example.com/webadmin.ntf+++[etc etc]+++.nsf/OSTextFile_Body?ReadForm&c:\boot.ini trick as well.

Is this a fubar on my part, or are files ACL'd such that this user can't get to them ? Can't seem to find any answer on the net, so any pointers in the vague direction of an answer would be appreciated.

Ta muchly,

Marcus.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmEEARECACEFAjwMrTAaHG1hcmN1cy5jaGFpbkBodXNobWFpbC5jb20ACgkQVZBW5wkl
TLx0QwCgoJGomB/zs7Loxtkno4Y7aUjZLPAAn2sH0mJ85FIuiz4k+ADHyUPhtzaN
=5PMz
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: ettercap help
    ... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: CFM SQL injection
    ... You should better use union or alike get unauthorized data from the ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: ettercap help
    ... > I can get it to sniff telnet, ftp, pop, smb, but no vnc. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Wardialing
    ... >>> achieving the connection with the modem. ... >>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: How to Tackle the Legal Tangle?
    ... How to Tackle the Legal Tangle? ... >This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)