{"vuid":"VU#772817","idnumber":"772817","name":"Lotus Domino Web Server vulnerable to buffer overflow via non-existent \"h_SetReturnURL\" parameter with an overly long \"Host Header\" field","keywords":["Lotus Domino Web Server","buffer overflow","non-existent h_SetReturnURL parameter","Host Header field","KSPR5HTLW6"],"overview":"Lotus Domino Web Server is an application that provides access to Lotus Notes databases via HTTP requests. A vulnerability exists that could permit a remote attacker to execute arbitrary code on the server.","clean_desc":"Lotus Domino Web Server contains a vulnerability in the nhttp.exe application that could permit a remote attacker to execute arbitrary code on the server with SYSTEM privileges. The problem occurs when the web server responds with a \"302 Moved Temporarily\" redirection error. The \"Location:\" header contained in this response is composed in part from the Host: header contained in the request. By carefully manipulating the length of the Host: header before and after URL encoding, the attacker can cause the resulting Location: header to contain information in adjacent memory on the web server. This vulnerability was reportedly discovered using a Windows 2000 (SP3) machine running Domino release 6.0. Further information is available in NGSSoftware advisory NISR17022003a and in IBM Technote 1104529 (SPR# KSPR5HTLW6). This vulnerability is addressed in Domino Release 6.0.1. Domino Release 5 is not affected.","impact":"A remote attacker could execute arbitrary code on the server with SYSTEM privileges.","resolution":"Upgrade to Domino Release 6.0.1.","workarounds":"Filter HTTP Requests with Large Headers Sites that are able to deploy a monitoring system between the Internet and their web server may be able to detect and block packets with large amounts of header data.","sysaffected":"","thanks":"Thanks to Mark Litchfield of NGSSoftware for reporting this vulnerability.","author":"This document was written by Jason A Rafail.","public":["http://www.nextgenss.com/advisories/lotus-hostlocbo.txt","http://www-1.ibm.com/support/docview.wss?uid=swg21104529","http://www-1.ibm.com/support/docview.wss?uid=swg27003694","http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256cd7007acda6?OpenDocument"],"cveids":[""],"certadvisory":"CA-2003-11","uscerttechnicalalert":null,"datecreated":"2003-01-15T16:10:29Z","publicdate":"2003-02-17T00:00:00Z","datefirstpublished":"2003-02-19T22:05:14Z","dateupdated":"2003-03-26T17:39:57Z","revision":14,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"15","cam_impact":"19","cam_easeofexploitation":"20","cam_attackeraccessrequired":"20","cam_scorecurrent":"53.4375","cam_scorecurrentwidelyknown":"64.125","cam_scorecurrentwidelyknownexploited":"106.875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":53.4375,"vulnote":null}