search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Lotus Domino Web Server vulnerable to buffer overflow via non-existent "h_SetReturnURL" parameter with an overly long "Host Header" field

Vulnerability Note VU#772817

Original Release Date: 2003-02-19 | Last Revised: 2003-03-26


Lotus Domino Web Server is an application that provides access to Lotus Notes databases via HTTP requests. A vulnerability exists that could permit a remote attacker to execute arbitrary code on the server.


Lotus Domino Web Server contains a vulnerability in the nhttp.exe application that could permit a remote attacker to execute arbitrary code on the server with SYSTEM privileges.

The problem occurs when the web server responds with a "302 Moved Temporarily" redirection error. The "Location:" header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server. This vulnerability was reportedly discovered using a Windows 2000 (SP3) machine running Domino release 6.0.

Further information is available in NGSSoftware advisory NISR17022003a and in IBM Technote 1104529 (SPR# KSPR5HTLW6). This vulnerability is addressed in Domino Release 6.0.1. Domino Release 5 is not affected.


A remote attacker could execute arbitrary code on the server with SYSTEM privileges.


Upgrade to Domino Release 6.0.1.

Filter HTTP Requests with Large Headers

Sites that are able to deploy a monitoring system between the Internet and their web server may be able to detect and block packets with large amounts of header data.

Vendor Information

Expand all

Lotus Software

Notified:  January 15, 2003 Updated:  March 17, 2003



Vendor Statement

Lotus Domino Web Server Host/Location Buffer Overflow
Status 5.x: Not vulnerable
Status 6.x: Fixed in 6.0.1, Workaround for 6.0
Document #: 1104529

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A



Thanks to Mark Litchfield of NGSSoftware for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs: None
CERT Advisory: CA-2003-11
Severity Metric: 53.44
Date Public: 2003-02-17
Date First Published: 2003-02-19
Date Last Updated: 2003-03-26 17:39 UTC
Document Revision: 14

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.