Overview
Lotus Domino Web Server is an application that provides access to Lotus Notes databases via HTTP requests. A vulnerability exists that could permit a remote attacker to execute arbitrary code on the server.
Description
Lotus Domino Web Server contains a vulnerability in the nhttp.exe application that could permit a remote attacker to execute arbitrary code on the server with SYSTEM privileges. The problem occurs when the web server responds with a "302 Moved Temporarily" redirection error. The "Location:" header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server. This vulnerability was reportedly discovered using a Windows 2000 (SP3) machine running Domino release 6.0. |
Impact
A remote attacker could execute arbitrary code on the server with SYSTEM privileges. |
Solution
Upgrade to Domino Release 6.0.1. |
Filter HTTP Requests with Large Headers |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.nextgenss.com/advisories/lotus-hostlocbo.txt
- http://www-1.ibm.com/support/docview.wss?uid=swg21104529
- http://www-1.ibm.com/support/docview.wss?uid=swg27003694
- http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256cd7007acda6?OpenDocument
Acknowledgements
Thanks to Mark Litchfield of NGSSoftware for reporting this vulnerability.
This document was written by Jason A Rafail.
Other Information
| CVE IDs: | None |
| CERT Advisory: | CA-2003-11 |
| Severity Metric: | 53.44 |
| Date Public: | 2003-02-17 |
| Date First Published: | 2003-02-19 |
| Date Last Updated: | 2003-03-26 17:39 UTC |
| Document Revision: | 14 |