Overview
The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial-of-service situation on the Windows and OS/2 Platforms.
Description
With the Lotus Domino Web Server, you can access DOS-devices. If this is done through the cgi-bin directory, a ncgihttp.exe process will be opened to handle the execution of the request. A flaw exists where this processing will not finish. After numerous requests have been made, the server will no longer respond to requests on tcp port 80. |
Impact
A denial of service results on Windows and OS/2 platforms. |
Solution
Upgrade to Notes/Domino 5.0.7 or later. See http://www.notes.net/qmrdown.nsf/QMRWelcome. |
If possible, disable access to DOS-Devices through the web server's cgi-bin directory. An application layer filter may be able to detect and block such requests. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Our thanks to Defcom Labs, who published an advisory on this and other problems, available at http://www.securityfocus.com/frames/?content=/templates/advisory.html?id=3208.
This document was written by Jason Rafail and is based on information obtained from a Defcom Labs Advisory.
Other Information
| CVE IDs: | None |
| Severity Metric: | 5.07 |
| Date Public: | 2001-04-11 |
| Date First Published: | 2001-07-12 |
| Date Last Updated: | 2001-07-12 20:43 UTC |
| Document Revision: | 18 |