IBM Lotus Domino Administration Databases Anonymous Access

This script is Copyright (C) 2001-2012 Javier Fernandez-Sanguino Pena


Synopsis :

The remote service is affected by information disclosure
vulnerabilities.

Description :

The remote Lotus Domino server allows an anonymous user to access
sensitive information such as users, databases, configuration of
servers (including operating system and hard disk partitioning),
and logs of access to users (which could expose sensitive data if
GET html forms are used).

See also :

http://archives.neohapsis.com/archives/apps/nessus/2001-q1/0416.html
http://www-1.ibm.com/support/docview.wss?uid=swg27002555
http://archives.neohapsis.com/archives/bugtraq/2002-09/0051.html

Solution :

Verify all of the ACLs for the available databases and remove those
that are not needed.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 5.0
(CVSS2#E:H/RL:U/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 10629 (domino_default_db.nasl)

Bugtraq ID: 5101

CVE ID: CVE-2002-0664