14th Mar 2003 [SBWID-6062]
COMMAND
	Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow
SYSTEMS AFFECTED
	1. Affected system(s):
	   KNOWN VULNERABLE:
	    o Lotus Notes/Domino R4.5 server and client
	    o Lotus Notes/Domino R4.6 server and client
	    o Lotus Notes/Domino R5 server and client
	    o Lotus Notes/Domino R6 beta (pre-Gold) server and client
	   NOT VULNERABLE:
	    o Lotus Notes/Domino R6.0 Gold
	    o Lotus Notes/Domino R6.0.1
	    o Lotus Notes/Domino R5.0.12
PROBLEM
	
	_______________________________________________________________________
	                     Rapid7, Inc. Security Advisory
	      Visit http://www.rapid7.com/ to download NeXpose, the
	           world's most advanced vulnerability scanner.
	       Linux and Windows 2000/XP versions are available now!
	_______________________________________________________________________
	Rapid7 Advisory R7-0011
	Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow
	   Published:  March 12, 2003
	   Revision:   1.0
	   http://www.rapid7.com/advisories/R7-0011.html
	   CVE:           CAN-2003-0123
	   Lotus SPR:     KSPR5DFJTR
	   IBM Technote:  1105060
	   Bugtraq ID:    7038
	
	2. Summary
	   The Lotus Notes/Domino Web Retriever task is responsible for
	   retrieving web pages on behalf of Notes users who want to access the
	   web via their Notes server.
	   The Web Retriever program will crash when it receives an overly long
	   HTTP status line from a remote web server.
	   If the Web Retriever is running as a server task, the crash will
	   cause a denial of service on the server.
	   If the Web Retriever is running locally on a client, the crash will
	   bring down the Notes client with it.
	5. Detailed analysis
	   By issuing an overly long status message in its HTTP response, a
	   remote server can crash the Web Retriever process.  The response
	   line consists of the standard HTTP version and code followed by an
	   overly long (~6000 bytes) status message, followed by two carriage
	   return/linefeed pairs.
	
	      HTTP/1.1 200 Ax6000<crlf><crlf>
	
	   A response length of around 6000 bytes is usually sufficient to crash
	   the Web Retriever.  Using a somewhat smaller buffer will still
	   corrupt the heap, but the crash may not occur until the corrupted
	   portions of the heap are later used.
SOLUTION
	4. Solution
	   Users running R5 should upgrade to Notes R5.0.12.  Users of R6
	   pre-Gold releases should upgrade R6.0 Gold or higher.  Due to other
	   vulnerabilities discovered in R6.0 Gold, you should consider
	   upgrading to R6.0.1, which was released in February 2003.
	   Domino incremental installers may be downloaded from the following
	   URL (which has been wrapped):
	
	   http://www14.software.ibm.com
	      /webapp/download/search.jsp?go=y&rs=ESD-DMNTSRVRi&sb=r
	
	   As a workaround, you can disable the Web Retriever task on the
	   server.  To do this, first remove the 'Web' entry from the
	   ServerTasks line in the server's NOTES.INI file, then issue the
	   'tell web quit' command at the server console.
	   In addition, consider removing the Web Retrieval database (typically
	   /WEB.NSF) or lock down its ACL so that no users can access it.  If
	   the Web Retriever is disabled, users probably do not need access to
	   this database.
	   Notes clients will be vulnerable to this if they are configured to
	   use the Notes web browser instead of an external browser program.
	   This option can be viewed in the Internet browser section of the
	   current Location document.
	
	3. Vendor status and information
	   Lotus
	   http://www.lotus.com/
	   http://www.ibm.com/
	   Lotus was notified and they have fixed this vulnerability.  Lotus is
	   tracking this issue with SPR #KSPR5DFJTR.  [1] IBM has also prepared
	   Technote #1105060, which discusses this vulnerability.  [2]
	   See the References section for more information.
	6. References
	   [1] Lotus SPR #KSPR5DFJTR (URL wrapped)
	   http://www-10.lotus.com
	      /ldd/r5fixlist.nsf/Search?SearchView&Query=KSPR5DFJTR
	   [2] IBM Technote #1105060 (URL wrapped)
	   http://www-1.ibm.com
	      /support/docview.wss?rs=482&q=Domino&uid=swg21105060
	7. Contact Information
	   Rapid7 Security Advisories
	   Email:   [email protected]
	   Web:     http://www.rapid7.com/
	   Phone:   +1 (212) 558-8700
	8. Disclaimer and Copyright
	   Rapid7, Inc. is not responsible for the misuse of the information
	   provided in our security advisories.  These advisories are a service
	   to the professional security community.  There are NO WARRANTIES
	   with regard to this information.  Any application or distribution of
	   this information constitutes acceptance AS IS, at the user's own
	   risk.  This information is subject to change without notice.
	   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
	   hereby granted to redistribute this advisory, providing that no
	   changes are made and that the copyright notices and disclaimers
	   remain intact.