Bugtraq mailing list archives
Lotus Response to "Domino Server Directory Traversal Vulnerability"
From: Katherine Spanbauer <Katherine_Spanbauer () LOTUS COM>
Date: Tue, 9 Jan 2001 21:16:22 -0500
Lotus has published the following statement regarding the recently reported issue "Domino Server Directory Traversal Vulnerability". This information will be posted to the Lotus web site at http://www.lotus.com/security. Regards, Katherine Spanbauer Product Manager, Notes and Domino Security Lotus Development Corporation katherine_spanbauer () lotus com What is the nature of the vulnerability? Given a known path and file name, files may accessed from a Domino server running the HTTP task. This is limited to the file system (or drive) on which the Domino server is installed. It is not possible to browse the file system, but if a file name can be correctly guessed at, it can be accessed. What versions of Domino are affected? R5.0 - R5.0.6 R4x is not affected How can I track this issue? The SPR (Software Problem Report) number is KSPR4SPQ5S. When an SPR is fixed, it is posted in the Fix List database on Notes.net --> http://www.notes.net/R5FixList.nsf What are Lotus' plans to address this issue? Lotus is treating this with the highest priority and has a fix being tested now. This fix is planned for R5.0.6a and it will be posted to http://notes.net as soon as it is available. We are currently targeting the end of this week (13-Jan-01). If the schedule changes, this document will be updated. Is there a workaround available? Yes. Until R5.0.6a is available, the following workaround is recommended: Open the Administration Client Select the server you want to administer "Configuration" tab / "Server" section / Current server document : Press the "Web" button Select "Create URL mapping/redirection" In the URL redirection document + "Basics" tab Select: URL ---> Redirection URL + "Mapping" tab Incoming URL: */../* Redirection URL: [the URL you want to redirect to, for example " http://hostname/homepage.nsf"] Save the document Restart the HTTP task Acknowledgments: Miha Vitorovic of NIL Data Communications and Leonardo Rodrigues of Solution Web posted similar solutions to the list and we acknowledge and appreciate their contributions.
Current thread:
- Lotus Response to "Domino Server Directory Traversal Vulnerability" Katherine Spanbauer (Jan 10)
- <Possible follow-ups>
- Re: Lotus Response to "Domino Server Directory Traversal Vulnerability" Vinci Chou (Jan 12)