Bugtraq mailing list archives

Re: Lotus Response to "Domino Server Directory Traversal Vulnerability"

From: Vinci Chou <Captainbig () BIGFOOT COM>
Date: Thu, 11 Jan 2001 14:50:54 +0800

Katherine Spanbauer wrote:

 Lotus has published the following statement regarding the recently

reported

 issue "Domino Server Directory Traversal Vulnerability".  This

information

 will be posted to the Lotus web site at

http://www.lotus.com/security.

   + "Mapping" tab
          Incoming URL:  */../*


I noticed that the page at www.lotus.com/security was updated minutes
ago to say
          Incoming URL: *..*
instead of
          Incoming URL:  */../*

because the latter can be bypassed if a "/" is replaced by "\" as
pointed out by others in the LNotes-L mailing list.  Though you won't
get the "\" to work if you use Netscape client in this case, other
clients or telnet do.

Any other patterns are insufficient.

Regards,
Vinci

Current thread:

Lotus Response to "Domino Server Directory Traversal Vulnerability" Katherine Spanbauer (Jan 10)
- <Possible follow-ups>
- Re: Lotus Response to "Domino Server Directory Traversal Vulnerability" Vinci Chou (Jan 12)