Domino HTTP Server Internal Path Disclosure

hcl-bot · August 13, 2008, 11:54am

I have received a security alert from our Securiy Compliance service and they have noted that we have an issue:

It is possible to get the absolute path leading to the remote /cgi-bin

directory by requesting a bogus cgi (like : ‘GET /cgi-bin/blah’). This

problem can be used to obtain OS and installation details.

Service: Lotus-Domino

CVE: CVE-2000-0021

NVD: CVE-2000-0021

Bugtraq: 881

Reference:

CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score: 5.00

BUGTRAQ:19991221 serious Lotus Domino HTTP denial of service

BUGTRAQ:19991227 Re: Lotus Domino HTTP denial of service attack

Can I please get more information regarding this issue and remediation to resolve this issue?

thanks,

john

hcl-bot · August 14, 2008, 8:36am

Subject: Interesting, I got the following from our security audit today, first time we have failed in years

I am not sure how to fix this, but, they must have changed their testing methodology… We use Domino 8.0.1

Howard

Security Vulnerabilities

Protocol

Port

Program

Risk

Summary

TCP

80

http

5

Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for “Cross-Site Tracing”, when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirr or/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-2 4 VU#867593 - Web servers enable HTTP TRACE method by default Solution: Disable these methods. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : The server response from a TRACE request is : TRACE /SMetrics1555461136.html HTTP/1.1 Connection: Keep-Alive Host: tlcc.com Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U Smetrics ) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, / Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 CVE : CVE-2004-2320 BID : 9506, 9561, 11604 Other references : OSVDB:877, OSVDB:3726 [More]
[Hide]

hcl-bot · August 20, 2008, 2:45pm

Subject: You have control over TRACE, TRACK is not supported by Domino

You can disable the trace method - if you use the web configuration view, you would set the notes.ini variable like this: HTTPDisableMethods=TRACE,GET,etc, or if you use internet sites, then on each internet site document there is a check box for each HTTP method you want to enable.

hcl-bot · August 20, 2008, 4:17pm

Subject: *Thanks, I found that and we passed the audit after I enabled that notes.ini setting

hcl-bot · August 13, 2008, 2:39pm

Subject: What version of Domino are you running?

The bug referenced by your security compliance people was reported nearly 9 years ago in Domino 4.6. http://www.securityfocus.com/bid/881/info

If you are actually running a Domino 4.6 web server, then an upgrade would be the best approach.

If you are not running Domino 4.6, then perhaps the test result is erroneous, or perhaps you have some strange configuration that has caused this issue to recur. Personally, I would regard exposing the absolute path to the Domino program directory as only moderately severe – not great, but you would need some other vulnerability to make use of the exploit.

Rupert Clayton

Chicago