Vulnerability Note VU#772817
Lotus Domino Web Server vulnerable to buffer overflow via non-existent "h_SetReturnURL" parameter with an overly long "Host Header" field
Lotus Domino Web Server is an application that provides access to Lotus Notes databases via HTTP requests. A vulnerability exists that could permit a remote attacker to execute arbitrary code on the server.
Lotus Domino Web Server contains a vulnerability in the nhttp.exe application that could permit a remote attacker to execute arbitrary code on the server with SYSTEM privileges.
The problem occurs when the web server responds with a "302 Moved Temporarily" redirection error. The "Location:" header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server. This vulnerability was reportedly discovered using a Windows 2000 (SP3) machine running Domino release 6.0.
A remote attacker could execute arbitrary code on the server with SYSTEM privileges.
Upgrade to Domino Release 6.0.1.
Filter HTTP Requests with Large Headers
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Lotus Software||Affected||15 Jan 2003||17 Mar 2003|
CVSS Metrics (Learn More)
Thanks to Mark Litchfield of NGSSoftware for reporting this vulnerability.
This document was written by Jason A Rafail.
- CVE IDs: Unknown
- CERT Advisory: CA-2003-11
- Date Public: 17 Feb 2003
- Date First Published: 19 Feb 2003
- Date Last Updated: 26 Mar 2003
- Severity Metric: 53.44
- Document Revision: 14
If you have feedback, comments, or additional information about this vulnerability, please send us email.