IBM Lotus Domino Multiple Information Disclosure Vulnerabilities

Published: 2013-09-04 10:52:08

CVSS Base Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N

Summary:
This host is running Lotus Domino Server and is prone to multiple information disclosure vulnerabilities.

Detection Method:
Send the direct HTTP request to restricted config files and check it is possible to read the configuration file content or not.

Recommendations:
No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

Technical Details:
The flaws are due to the multiple config files (names.nsf, admin4.nsf, catalog.nsf, events4.nsf) are accessible without authentication, there is a leakage of information about web server configuration.

Affected Versions:
IBM Lotus Domino 8.5.3, 8.5.4, 9.0 and previous versions.

Impact:
Successful exploitation will allow attacker to access web server configuration information.

Solution Type:
Vendor will not fix

Detection Type:
Remote Vulnerability

References:

http://websecurity.com.ua/5829
http://seclists.org/fulldisclosure/2013/Apr/248

Search
Severity
Medium
CVSS Score
5.8

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.