COMMAND

	Domino HTTP server

SYSTEMS AFFECTED

	Lotus Domino 5.08 and earlier

PROBLEM

	Hendrik-Jan Verheij  reported  following,  discovered  &  tested  by
	Ninke Westra :
	

	There exists a DOS in the current  version  of  Lotus  Domino  5.08  and
	earlier.
	

	The DOS manifests itself on Lotus Domino  servers  with  the  http  task
	running and ssl enabled.
	

	A connection to the victim on port 443  with  the  nmap  \'-sR\'  switch
	will target this port with SunRPC program NULL commands  in  an  attempt
	to determine whether it is an RPC port, and if so, what program  and  version
	number it serves up.
	

	Our first attempt brought the domino test server down.  Tests  on  other
	setups revealed the same behaviour.
	

	The task that crashes is  the  nhttp  task.  It  takes  down  the  whole
	server.
	

	the nmap command used:
	

	nmap -n -p 443 -sR www.vicitim.com

	

	

	Lotus has acknowledged the issue and the internal  reference  number  is
	SPR # MALR4Y6RL8

SOLUTION

	The issue has been fixed in Lotus Domino 5.09 which  is  available  from
	www.notes.net as an incremental upgrade.