Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

Buffer Overflow in Lotus Domino: Web retriever HTTP status

March 18, 2003

To determine if you should apply this patch, download AppDetective for Lotus Domino from http://www.appsecinc.com/products/appdetective/domino

Risk level: High

Threat:
This buffer overflow may allow an attacker to overwrite the heap and possible compromise the server.

Versions Affected: R4, R5, and R6

Summary:
A buffer overflow exists in the Web Retriever used to collect web pages through the Domino server. This buffer overflow occurs when a malicious web server returns a long value in the HTTP response. This attack overwrites the heap memory allowing a possible compromise of the server.

Details:
The Lotus Notes client can be used as a web browser and can access web pages through the Web Retriever which is actually a database called WEB.NSF. A Notes user can use his or her local WEB.NSF to open web pages or can use the WEB.NSF on the Domino server.

The WEB.NSF database contains a flaw when a large response is received from a web site. When the response included with the status code is 6000 bytes long, WEB.NSF attempts to copy it into a much smaller buffer on the heap. This results in heap memory being overwritten.

This vulnerability could be exploited in one of several ways. A non-privileged user with access to a Domino server could retrieve a malicious web page intentionally to gain elevated privileges. As well, a malicious attacker could trick a valid Notes user to connect to a malicious web site to compromise the server.

Fix:
To fix this problem, you should download and apply the latest MR/MU. These maintenance updates are available from the Lotus web site at: http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument

This vulnerability has been fixed in the following releases:
R5.0.12
R6.0.0 GOLD (only pre-release and beta versions are vulnerable)

There does not appear to be a fix for version 4.x.

If you are unable to upgrade the server, there are work arounds for this issue. One work around is to prevent use of the WEB.NSF database. This can be accomplished by deleting the WEB.NSF database or revoking permissions for any user to access the database.

To disable the Web Retriever task on the server, remove the 'Web' entry from the ServerTasks line in the notes.ini file. Then execute the command 'tell web quit' at the server console.