Lotus Domino R4 Web Server -- File Retreival Vulnerability Digisec.org Security Advisory Systems affected: Lotus Domino R4 (Versions 4.x) AIX - have not tested other versions/platforms Risk: High Date: July 2, 2002 Legal Notice: This advisory is Copyright (c) 2002 Digisec.org This advisory may be distributed unmodified, however, you may not modify and distribute (in parts or in it's entirety) without express written permission. Disclaimer: Use this information at your own risk. Digisec.org is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Digisec.org bears no responsibility for content or misuse of this advisory or any derivatives thereof. Description: Lotus Domino Web Server under AIX (have not tested other versions) allows downloading of files in the web root directory (rather than referring to the ECLs within the database or the permissions on the file itself). This does not work on the standard web scripts included in Domino such as admin4.nsf, names.nsf, domcfg.nsf, etc. However, if there are other files or custom-made .nsf databases in the server's web root directory, they may be downloaded by appending a "?" at the end of the file name. Our understanding of this problem is based on the way that Lotus handles documents in the web root directory. When a request is made to a file, the addition of the "?" on the end of the file name acts as a wildcard. The server doesn't know how to handle this character and instead just delivers the entire file rather than trying to parse the file through the web handler. This was tested with other various file types (.tar, .htm, .zip, etc.) all with success. Exploit Information: http://dominoserver/nameoffile.ext? will get the file "nameoffile.ext". Vendor status: Lotus was notified about the issue. They noted that this issue had never been reported and suggested a workaround that appears to correct the issue. Their suggestion was to create a separate directory for the web site files (don't put them in the web root created during installation). Also, the permissions on these files should be appropriately applied. This vulnerability only appears to work on files within the web root directory not in other folders. This vulnerability is not an issue in R5 (which was tested by Lotus). Acknowledgements: Thanks to the following for your support and insight: Lotus, packetphobia, rabidpacketmonky and j0hnn135.