| VID |
22263 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Lotus Domino web server is vulnerable to Information Disclosure Vulnerability by accessing 'ReadDesign' command.
The ReadDesign command returns an XML listing of visible views and returns a description of the structure of the view. Also, this command lists documents within a view. This XML listing contains sensitive information such as the views' Universal NoteID (UNID) and the views' name, all fields, actions, etc. The ReadDesign command accessed by anonymous users allows a remote attacker to obtain sensitive information via the ReadDesign command.
* References:
http://www.nextgenss.com/advisories/defaultnav.txt
www.nextgenss.com/papers/hpldws.pdf
* Platforms Affected:
Lotus Domino R5 Any version
HP-UX Any version
IBM lftpd Any version, IBM OS/2 Any version
Solaris Any version
Linux Any version
Microsoft Windows Any version |
| Recommendation |
You should upgrade to the latest Domino version from IBM/Lotus web site at http://www.lotus.com
As a workaround, to prevent all view designs from being read through the web server, you should create a redirect URL of *?ReadDesign.
1) Open the Domino Administrator client and select the menu item "File->Open Server" to access the server to edit.
2) Click on the "Web" option on left hand side of the screen and then, under "Web", click on the "Web Server Configuration".
3) Click on the "Edit Document" button at the top of the server document.
4) Click on the "Web" button at the top of the server document.
5) Click "Create URL Mapping/Redirection" and click the "Mapping" tab.
6) Enter the URLs to redirect in the Incoming URL string "*?ReadDesign".
7) Enter the command "tell http restart" at the server console so that the settings take effect. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
