Bugtraq mailing list archives
Re: Lotus Response to "Domino Server Directory Traversal Vulnerability"
From: Vinci Chou <Captainbig () BIGFOOT COM>
Date: Thu, 11 Jan 2001 14:50:54 +0800
Katherine Spanbauer wrote:
Lotus has published the following statement regarding the recently
reported
issue "Domino Server Directory Traversal Vulnerability". This
information
will be posted to the Lotus web site at
http://www.lotus.com/security.
+ "Mapping" tab Incoming URL: */../*
I noticed that the page at www.lotus.com/security was updated minutes ago to say Incoming URL: *..* instead of Incoming URL: */../* because the latter can be bypassed if a "/" is replaced by "\" as pointed out by others in the LNotes-L mailing list. Though you won't get the "\" to work if you use Netscape client in this case, other clients or telnet do. Any other patterns are insufficient. Regards, Vinci
Current thread:
- Lotus Response to "Domino Server Directory Traversal Vulnerability" Katherine Spanbauer (Jan 10)
- <Possible follow-ups>
- Re: Lotus Response to "Domino Server Directory Traversal Vulnerability" Vinci Chou (Jan 12)