Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: web4908.htm

Lotus Domino - HTTP database lock
10th Dec 2001 [SBWID-4908]

	HTTP database lock


	LOTUS DOMINO 5.0.5 (french) and LOTUS DOMINO 5.0.8  (french)  with  http
	service running.


	Sebastien MICHAUD and Olivier ALLAIRE found that it\'s possible to  lock
	any database, through web access - access will  be  enabled  again  only
	after the restart of the server.


	Except the fact that this bug induce a DoS on  the  targeted  bases,  it
	can perform a DoS on the entire Domino server, if  certainty  bases  are
	locked. In this case there is no way to stop  the  Domino  server  task.
	The computer need to be phisically reboot.

	This bug appears when the targeted database is not in-use by the  server
	(so, names.nsf and  admin4.nsf  are  not  focused  here)  and  requested
	through a web browser with the database name precess by a \" /./  \"  in
	the requested URL.

	 Exploit :






	Example to lock the WEDADMIN.NSF database :




	Example to lock the administrator mailbox :





	Nothing yet. This bug has to be tested against 5.0.9 to check  if  it\'s
	vulnerable or not.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH