IBM Lotus Notes Domino Server Discloses Server Banner to Remote Users When Configured Not To
|
|
SecurityTracker Alert ID: 1005573 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 8 2002
|
Impact: Disclosure of system information
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 5.0.8, 5.0.9, and 5.0.9a
|
Description: An information disclosure vulnerability was reported in IBM's Lotus Domino server. A remote user may be able to view the server version banner even if the system has been configured to prevent this display.
It is reported that a remote user can request a non-existent nsf Notes database to cause the server to display the version banner.
This apparently occurs even if the 'notes.ini' file is configured with the 'DominoNoBanner=1' setting.
A demonstration exploit
URL is provided:
http://serverAddress/nosuchdb.nsf
IBM Lotus Corporate has assigned support incident number 1524817 to this
bug report.
|
Impact: A remote user can view the server version banner even if the server is configured to not display the information.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.lotus.com/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
Reported By: Frank Perreault <frank@harrystotle.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 7 Nov 2002 20:39:20 -0000
From: Frank Perreault <frank@harrystotle.com>
Subject: Lotus Domino HTTP Server security issue
|
Lotus Domino http (version) banner will appear despite
notes.ini 'DominoNoBanner=1' setting. To recreate:
formulate a URL requesting a non-existing nsf database.
Example: 'http://serverAddress/nosuchdb.nsf'
Has been verified on Lotus Domino 5.0.8, 5.0.9 and
5.0.9a. IBM Support is documenting and assigning a SPR
number. (Taken <a
href="http://hs.servehttp.com:9080/archives/00000042.html">here</a>.)
|
|
