Web Servers : Lotus Domino administration databases

Vulnerability Search		Search 219043 CVE descriptions and 99761 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 10629

Category: Web Servers

Title: Lotus Domino administration databases

Summary: This script determines if some default databases can be read remotely.;; An anonymous user can retrieve information from this Lotus Domino server: users, databases, configuration; of servers (including operating system and hard disk partitioning), logs of access to users (which could; expose sensitive data if GET html forms are used).;; This issues are discussed in the references 'Lotus White Paper: A Guide to Developing Secure Domino Applications' (december 1999).

Description: Summary:
This script determines if some default databases can be read remotely.

An anonymous user can retrieve information from this Lotus Domino server: users, databases, configuration
of servers (including operating system and hard disk partitioning), logs of access to users (which could
expose sensitive data if GET html forms are used).

This issues are discussed in the references 'Lotus White Paper: A Guide to Developing Secure Domino Applications' (december 1999).

Solution:
Verify all the ACLs for these databases and remove those not needed.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: BugTraq ID: 5101
BugTraq ID: 881
Common Vulnerability Exposure (CVE) ID: CVE-2000-0021
http://www.securityfocus.com/bid/881
Bugtraq: 19991221 serious Lotus Domino HTTP denial of service (Google Search)
Bugtraq: 19991227 Re: Lotus Domino HTTP denial of service attack (Google Search)
Common Vulnerability Exposure (CVE) ID: CVE-2002-0664
http://www.securityfocus.com/bid/5101
Bugtraq: 20020906 Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs (Google Search)
http://marc.info/?l=bugtraq&m=103134154721846&w=2
http://www.iss.net/security_center/static/10057.php

Copyright Copyright (C) 2001 Javier Fernández-Sanguino Peña

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	10629
Category:	Web Servers
Title:	Lotus Domino administration databases
Summary:	This script determines if some default databases can be read remotely.;; An anonymous user can retrieve information from this Lotus Domino server: users, databases, configuration; of servers (including operating system and hard disk partitioning), logs of access to users (which could; expose sensitive data if GET html forms are used).;; This issues are discussed in the references 'Lotus White Paper: A Guide to Developing Secure Domino Applications' (december 1999).
Description:	Summary: This script determines if some default databases can be read remotely. An anonymous user can retrieve information from this Lotus Domino server: users, databases, configuration of servers (including operating system and hard disk partitioning), logs of access to users (which could expose sensitive data if GET html forms are used). This issues are discussed in the references 'Lotus White Paper: A Guide to Developing Secure Domino Applications' (december 1999). Solution: Verify all the ACLs for these databases and remove those not needed. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	BugTraq ID: 5101 BugTraq ID: 881 Common Vulnerability Exposure (CVE) ID: CVE-2000-0021 http://www.securityfocus.com/bid/881 Bugtraq: 19991221 serious Lotus Domino HTTP denial of service (Google Search) Bugtraq: 19991227 Re: Lotus Domino HTTP denial of service attack (Google Search) Common Vulnerability Exposure (CVE) ID: CVE-2002-0664 http://www.securityfocus.com/bid/5101 Bugtraq: 20020906 Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs (Google Search) http://marc.info/?l=bugtraq&m=103134154721846&w=2 http://www.iss.net/security_center/static/10057.php
Copyright	Copyright (C) 2001 Javier Fernández-Sanguino Peña