Buffer Overflow in Redirected Host/Location
February 19, 2003
To determine if you are vulnerable to this attack, download AppDetective fromhttp://www.appsecinc.com/products/appdetective/domino
Risk level: High
Threat: This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server.
Versions Affected: Domino R6
A buffer overflow exists in the Domino HTTP web server. This buffer overflow occurs when the web server receives a request which will be redirected to a different page. By sending a long value in the Host request header, an attacker can overwrite the stack and execute arbitrary code under the security context of the web server.
Domino web servers often redirect requests to other web pages. The HTTP protocol supports this functionality by returning a code of 302 to the browser.
Within the HTTP request headers the user submitting a page request sets the HOST value. When the Domino server redirects this request, it copies the value passed in as HOST into another buffer used to return the LOCATION response header. By submitting a long value in the HOST field, a buffer overflow occurs during the redirect process, allowing attack code submitted by the user to be executed.
To fix this problem, you should download and apply the latest MR/MU. These maintenance updates are available from the Lotus web site, http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument
This particular issue is fixed in R6.0.1 (currently available)