COMMAND

	HTTP database lock

SYSTEMS AFFECTED

	LOTUS DOMINO 5.0.5 (french) and LOTUS DOMINO 5.0.8  (french)  with  http
	service running.

PROBLEM

	Sebastien MICHAUD and Olivier ALLAIRE found that it\'s possible to  lock
	any database, through web access - access will  be  enabled  again  only
	after the restart of the server.
	

	

	Except the fact that this bug induce a DoS on  the  targeted  bases,  it
	can perform a DoS on the entire Domino server, if  certainty  bases  are
	locked. In this case there is no way to stop  the  Domino  server  task.
	The computer need to be phisically reboot.
	

	This bug appears when the targeted database is not in-use by the  server
	(so, names.nsf and  admin4.nsf  are  not  focused  here)  and  requested
	through a web browser with the database name precess by a \" /./  \"  in
	the requested URL.
	

	 Exploit :

	 ----------

	

	http://server_adress/directory/./base_name.nsf

	

	

	Example to lock the WEDADMIN.NSF database :
	

	http://server/./webadmin.nsf

	

	

	Example to lock the administrator mailbox :
	

	http://server/mail/./administrator.nsf

	

	

SOLUTION

	Nothing yet. This bug has to be tested against 5.0.9 to check  if  it\'s
	vulnerable or not.