Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root

[Ninke Westra <ninke () B-B NL>]

usig file-protection or url-redirection only works for the original
exploit.

both methods won't protect you from variations like using /.ns4/../ or
dummydirectory/.nsf/../../ to access the intended file.
the number of possible dummy directories is nearly limitless. which
clearly defeats the use of these two workarounds.

The solution offered by Leonardo Rodrigues <coelho () PERSOGO COM BR> on the bugtraq list is the best solution I've 
encountered sofar.

Leonardo's fix involves adding a line to the domino\data\httpd.cnf file:
map  */../*   /somedatabase.nsf
Restart the domino server and you should be ok

(there is a chance that it might interfere with some relative links - one
could try mapping */.*  - I haven't tried this yet, nor have I encountered
any such problem on our servers.)


Ninke Westra - Principal Certified Lazy Person :P





Stefan Schmidt <sschmidt () INTRAWARE DE>
Sent by: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM>
09-01-01 16:29
Please respond to sschmidt


        To:     VULN-DEV () SECURITYFOCUS COM
        cc:
        Subject:        Re: Lotus Domino 5.0.5 Web Server vulnerability - reading files   outside
the web root


You can temporarily fix the problem by creating a file protection. Protect
/.nsf/../ and set Default to no access. Also protect .ns4 and .box
The file protection will give You a login-prompt.

Stefan Schmidt
Manager IT
IntraWare AG
Brueckenmuehle 93 | D-36100 Petersberg
Phone +49 (0) 661/96 42-162 / Fax +49 (0) 661 - 96 42 99-162
Mobile +49 (0) 170/91 222 92
sschmidt () intraware de
http://www.intraware.de