From chad@rapid7.com Fri Feb 8 21:30:59 2002 From: Chad Loder X-Sender: cloder@zion To: Nicolas Gregoire Cc: bugtraq@securityfocus.com Date: Thu, 07 Feb 2002 11:39:37 -0800 Subject: Re: KPMG-2002004: Lotus Domino Webserver DOS-device Denial of Service Nicolas, I have confirmed your .pl path revealing discovery for all versions of Domino, even going back as far as Release 4.5, which gives very similar results. Domino 4.5 reveals the full path, but does NOT give two separate error responses run together. Domino 4.6.6b reveals the full path, and like R5 DOES give two HTTP responses run together. On R5, as you noticed, the second response gives a generic error which does not reveal the path: "Unable to run CGI program. No such file or directory" In Release 4.6.6b, the second response contains the full path: $ telnet host 80 Connecting to host port 80... GET /cgi-bin/NUL.pl HTTP/1.0 HTTP/1.1 200 Document follows Server: Lotus-Domino/Release-4.6.6b Date: Thu, 07 Feb 2002 19:14:50 GMT Content-Type: text/html Content-Length: 466 Error 500 Execution of Perl script e:\\domino\cgi-bin\NUL.pl failed. Error = 2 Content-type: text/html Error Error 500 Unable to run CGI program e:\\domino\cgi-bin\NUL.pl. No such file or directory ------------------------------------------------------------------------ I would surmise that the first error is the one given by the Perl module itself (which neglects to close the connection) and the second is given by the core Domino server (which then closes the connection). In R5, Lotus fixed the path revealing vulnerability in the core server, which was reported as BugTraq ID #881 (see http://www.securityfocus.com/bid/881), but as you discovered, not in the Perl module. In Release 4.6 and up, the Perl module looks like it's not properly closing the connection when it encounters an error, which would explain the two error pages. Just my .02 :-) Chad Loder ______________________________________ Chad Loder Principal Engineer Rapid 7, Inc. Visit our site to download the NeXpose security scanner!