Skip to main content

Software  >  Lotus  >  

Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability; reported by NGSS
 Technote (FAQ)
 
Question
Lotus Domino is subject to a buffer overflow vulnerability when performing a redirect operation under certain circumstances. This vulnerability can be exploited by a malicious user to bring down the Web server.
 
Answer
This issue was reported to Lotus Software Quality Engineering and SPR# KSPR5HTLW6 has been addressed in Domino 6.0.1. Domino R5x servers are not vulnerable to this issue.

Customers running 6.0 servers should upgrade to Domino 6.0.1 or later to resolve the problem.

Excerpt from the Lotus Notes and Domino Release 6.0.1 MR fix list (available at http://www.lotus.com/ldd):
    SPR# KSPR5HTLW6 - Fixed an HTTP buffer overflow.

A workaround is also available for Domino 6.0:

It is possible to limit the problem by reducing the number of total bytes allowed for all the HTTP headers. The default setting is 16k, but this can be safely reduced to 4 to 6k, which should be enough for nearly all legitimate URL requests and which will prevent the overflow. To set this field, edit the field labeled "Maximum Size of Request Headers" on the HTTP protocol limits section of the HTTP tab of the Server document.

Related URLs:

CERT VU#772817: http://www.kb.cert.org/vuls

NGSS Advisory # NISR17022003a: http://www.nextgenss.com/advisories/lotus-hostlocbo.txt
 
 
  

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Messaging Applications
 E-Mail
 Lotus End of Support Products
 Lotus Domino Server
 Operating system(s):
  AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS
 Software version:
  6.0
 Reference #:
  1104529
 IBM Group:
 Software Group
 Modified date:
 2007-02-13

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.