Re: bugtraq id 2173 Lotus Domino Server

[Hendrik-Jan Verheij]

Thanks to Ninke Westra for testing this...   The same problem as in my previous post exists in this case   If you append a phoney directory to the  url passed on to the webserver the exploit will still work, however you have to back out an extra time.   example url:   target.victim.com/nonexistingdir/.nsf/../../fileyouwanttoget This makes the url redirection solution less obvious to guess, but it still leaves you vulnerable.   Regards,   Hendrik-Jan Verheij  http://redheat.org Hostmaster Popin Internet    +3174 2555770 [EMAIL PROTECTED]    http://www.popin.nl Assimilation is irrelevant, You are futile! ----- Original Message ----- From: Alan Bell To: [EMAIL PROTECTED] Sent: Tuesday, January 09, 2001 12:02 PM Subject: bugtraq id 2173 Lotus Domino Server Further information on this issue: 1) This issue has been reproduced on several versions of domino prior to 5.0.5 2) My testing has failed to reproduce this issue on Linux and OS/400 (AS/400) 3) To secure your boxes create 3 file protection documents for each server granting no access to the following paths. /.nsf/../ /.box/../ /.ns4/../ the other common domino extensions .ns3 and .ntf do not appear to be vulnerable. This is not a Lotus supported solution (as yet) so there may be additional similar paths with this behaviour. You should watch http://www.notes.net for an upgrade which will probably appear as 5.0.6a. Alan.