Summary
This script determines if some default databases can be read remotely.
An anonymous user can retrieve information from this Lotus Domino server: users, databases, configuration of servers (including operating system and hard
disk partitioning), logs of access to users (which could expose sensitive data if GET html forms are used)..
This issues are discussed in 'Lotus White Paper:
A Guide to Developing Secure Domino Applications' (december 1999) http://www.lotus.com/developers/devbase.nsf/articles/doc1999112200
Solution
verify all the ACLs for these databases and remove those not needed # This really could be high if, for example some
# sensitive data, but same databases do not give
# much information. Make separate tests for each?
Severity
Classification
-
CVE CVE-2000-0021, CVE-2002-0664 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Microsoft Windows Media Services ISAPI Extension Code Execution Vulnerabilities
- IBM WebSphere Application Server (WAS) Multiple Vulnerabilities - (Jan2012)
- Weborf 'get_param_value()' Function HTTP Header Handling Denial Of Service Vulnerability
- Monkey HTTP Daemon Invalid HTTP 'Connection' Header Denial Of Service Vulnerability
- Savant Web Server Remote Buffer Overflow Vulnerability