Buffer Overflow in Redirected Host/Location

Buffer Overflow in Redirected Host/Location

February 19, 2003

To determine if you are vulnerable to this attack, download AppDetective fromhttp://www.appsecinc.com/products/appdetective/domino

Risk level: High

Threat: This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server.

Versions Affected: Domino R6

Summary:
A buffer overflow exists in the Domino HTTP web server. This buffer overflow occurs when the web server receives a request which will be redirected to a different page. By sending a long value in the Host request header, an attacker can overwrite the stack and execute arbitrary code under the security context of the web server.

Details:
Domino web servers often redirect requests to other web pages. The HTTP protocol supports this functionality by returning a code of 302 to the browser.

Within the HTTP request headers the user submitting a page request sets the HOST value. When the Domino server redirects this request, it copies the value passed in as HOST into another buffer used to return the LOCATION response header. By submitting a long value in the HOST field, a buffer overflow occurs during the redirect process, allowing attack code submitted by the user to be executed.

Fix:
To fix this problem, you should download and apply the latest MR/MU. These maintenance updates are available from the Lotus web site, http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument

This particular issue is fixed in R6.0.1 (currently available)

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by