Endpoint Protection

 View Only
  • 1.  Anyone got an idea what this Intrusion prevention alert is referring to? HTTP Lotus Domino Password bypass detected

    Posted Dec 18, 2009 11:36 AM
    Hi.

    out of interest mainly.....

    i have a user who reported this message....SEP had flagged up an intrusion prevention message saying the following

    HTTP Lotus domino Password Bypass detected
    Traffic has been blocked from this application: C:\Program Files\Internet Explorer\iexplore.exe

    the remote host IP address is that of our Internet proxy server......the remote MAC being 00-00-00-00-00-00

    User claims he was only web browsing from Google to IBM site

    any ideas?

    thanks.


  • 2.  RE: Anyone got an idea what this Intrusion prevention alert is referring to? HTTP Lotus Domino Password bypass detected

    Posted Dec 18, 2009 11:44 AM
    You can actually bypass the password for lotus by creating a crafted request
    http://marc.info/?l=bugtraq&m=101284222932568&w=2 


  • 3.  RE: Anyone got an idea what this Intrusion prevention alert is referring to? HTTP Lotus Domino Password bypass detected

    Posted Dec 18, 2009 11:49 AM
    yeah I saw that - that's an old vulnerability.... but do you think something was running in his IExplore.exe process trying to use this old method?


  • 4.  RE: Anyone got an idea what this Intrusion prevention alert is referring to? HTTP Lotus Domino Password bypass detected
    Best Answer

    Posted Dec 18, 2009 11:52 AM
    Could be  or may the way the IBM page was handled in IE triggered the rule.
    might have matched the pattern defined in that vulnarability
    I would say a false positive in that case. 


  • 5.  RE: Anyone got an idea what this Intrusion prevention alert is referring to? HTTP Lotus Domino Password bypass detected

    Posted Dec 18, 2009 11:54 AM
    that's what I thought - false positive - I just found it quite exciting as you don't often see hacks for Lotus stuff....

    thanks ....