Vulnerability Note VU#601312
Lotus Domino vulnerable to DoS via crafted HTTP header requests
The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service.
HTTP requests with uniquely crafted headers using "Accept", "Accept-Charset", "Accept-Encoding", "Accept-Language" or "Content-Type" are not freed properly. This means that submitting numerous requests for a document, such as root (/), with various accept fields (accept: a, accept: aa, accept: aaa, ...) will cause the server to run out of physical memory. The server will then display an error message similar to this one:
"HTTP Server: Could allocate 8036 bytes of memoryOut of memory in HTMemPoolAlloc (file htmpool.c, line 506).Program aborted."
The server will eventually run out of physical memory and a denial of service will result.
An application layer filter may be able to detect and block unapproved requests.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Lotus||Affected||16 Oct 2000||12 Jul 2001|
CVSS Metrics (Learn More)
- VU#555464 VU#676552 VU#890128 VU#642760
Our thanks to Defcom Labs, which published an advisory on this and other problems, available at http://www.securityfocus.com/frames/?content=/templates/advisory.html?id=3208.
This document was written by Jason Rafail and is based on information obtained from a Defcom Labs Advisory.
- CVE IDs: Unknown
- Date Public: 11 Apr 2001
- Date First Published: 12 Jul 2001
- Date Last Updated: 17 Jul 2001
- Severity Metric: 9.98
- Document Revision: 19
If you have feedback, comments, or additional information about this vulnerability, please send us email.