Bugtraq mailing list archives
Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS
From: "Dyson, Thom" <TDyson () SYBEX COM>
Date: Tue, 9 Jan 2001 08:49:54 -0800
These came to me from the Notes Admin List. -------Solution 1--------- I don't the original author of this fix, so I can't give proper credit. Add a File Protection Document in your PAB/DD: Path: /.box/../ Access Control: -Default- - No Access Repeat this for .ns4 and .nsf (.ns3 and .ntf are not affected). Once you do this, do "tell http restart" or bounce your server. -------Solution 2---------
Well, as Lotus haven't released a fix for the *confirmed* bug, we get a workaround. Adding the following line: map */../* /something.nsf at httpd.conf, seems to handle the bug. You should notice that EVERYTHING using ../ links will stop working too, including the bug ! We tested this on NT4 sp6a and Domino 5.0.5, and we COULDN'T get the bug working after those lines were added. As we couldn't reproduce the bug on Linux Domino servers, and seems that nobody could, we don't think adding those lines on Linux httpd.conf servers is necessary. Sincerily, Rodolfo Stein (rstein () persogo com br) Solution Web ( http://www.solutionweb.com.br )
Solution one works. I have not tried solution 2. Thom Dyson Director of Information Services Sybex, Inc.
Current thread:
- Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS Dyson, Thom (Jan 09)
- Re: Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS Georgi Guninski (Jan 10)