| VID |
12023 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Lotus Domino web server is vulnerable to a Denial of Service attack via a long URL request.
Lotus Domino Server is an application framework for web based collaborative software. It runs on multiple platforms including Windows and UNIX. By default, this server has the /cgi-bin virtual path, is mapped to \domino\cgi-bin directory. One of some vulnerabilities in handling of cgi requests is a buffer overflow vulnerability that causes a denial of service condition. It arises by sending a large URL relative to cgi-bin. When a remote attacker sends the following URL request :
GET /cgi-bin/....['.'*800]....aaaa['a'*4000]aaaaaaa HTTP/1.0
it can causes the remote HTTP task to crash and dose not serve requesting(including standard Notes database access by HTTP) anymore. If Domino is launched as a NT service, the service will not stop completely. you need to kill remaining processes or reboot Windows NT.
* Platforms Affected:
Lotus Domino HTTP 4.6.X (4.6.4, 4.6.5, 4.6.6)
* References:
http://online.securityfocus.com/bid/881
http://www.securiteam.com/exploits/3J5QDQKQAQ.html |
| Recommendation |
The workaround is to create a URL redirect in the DOMCFG.NSF database that redirects any anomalous CGI requests to another URL. Since any non-existent CGI calls can cause this error, the following workaround is suggested.
* If the customer does not require the use of any CGI's, then the entire /cgi-bin directory can be redirected to another URL (a Notes database, or html file). If any "/cgi-bin" requests are made, they will be directed to this URL and are not processed as CGI.
* If the customer does require the use of CGI's the following setup will be required:
1) In the HTTP section of the Server Document, change the "CGI URL path" field to a different URL path. This does not require a change for the "CGI directory" field, such that the location on the hard drive for CGI's will remain the same. Only the URL which invokes CGI's will be altered.
Example: The default CGI URL path is "/cgi-bin"; change this to "/scripts/cgi-bin". Now, whenever a /cgi-bin request is made, it is recognized as a URL instead of a CGI.
2) Create a URL Redirect document in the DOMCFG.NSF for each specific CGI that resides on the server. Specify the incoming URL path as "/cgi-bin", and the redirection URL as "/scripts/cgi-bin".
Example: A customer has a CGI named "Xrun.cgi" in the domino/cgi-bin directory. Regularly, any requests to execute the CGI would come in as "http://hostname/cgi-bin/Xrun.cgi". This URL request is redirected to "http://hostname/scripts/cgi-bin/Xrun.cgi", where Domino will recognize it as a CGI, and run the script. In this case, the "/cgi-bin" URL itself is not recognized as a CGI request. It is only the redirection to "/scripts/cgi-bin" that will cause the Domino server to process it as a CGI script |
| Related URL |
CVE-2000-0023 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
