Domino File Reading

From: marcus.chain@hushmail.com
Date: 12/04/01


From: marcus.chain@hushmail.com
To: pen-test@securityfocus.com
Date: Tue,  4 Dec 2001 03:04:15 -0800


-----BEGIN PGP SIGNED MESSAGE-----

Morning all,

Looking at a Domino 5.0.8 on Win32 server atm, the ReplicaID of the web admin template file can be used and using the buffer truncation +++++ trick, I can see the admin page and know that I am the "Anonymous" user. When I try to request a file using http://example.com/[ReplicaID]/OSTextFile_Body?ReadForm&Filename="c:\boot.ini"OSTextFile_Body?OpenNavigator I get a little JavaScript "alert" pop-up box statement that "Rich Text item Body already exists". I get the same sort of thing if I do the http://example.com/webadmin.ntf+++[etc etc]+++.nsf/OSTextFile_Body?ReadForm&c:\boot.ini trick as well.

Is this a fubar on my part, or are files ACL'd such that this user can't get to them ? Can't seem to find any answer on the net, so any pointers in the vague direction of an answer would be appreciated.

Ta muchly,

Marcus.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmEEARECACEFAjwMrTAaHG1hcmN1cy5jaGFpbkBodXNobWFpbC5jb20ACgkQVZBW5wkl
TLx0QwCgoJGomB/zs7Loxtkno4Y7aUjZLPAAn2sH0mJ85FIuiz4k+ADHyUPhtzaN
=5PMz
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/