Katherine Spanbauer wrote:
> Lotus has published the following statement regarding the recently
reported
> issue "Domino Server Directory Traversal Vulnerability". This
information
> will be posted to the Lotus web site at
http://www.lotus.com/security.
> + "Mapping" tab
> Incoming URL: */../*
I noticed that the page at www.lotus.com/security was updated minutes
ago to say
Incoming URL: *..*
instead of
Incoming URL: */../*
because the latter can be bypassed if a "/" is replaced by "\" as
pointed out by others in the LNotes-L mailing list. Though you won't
get the "\" to work if you use Netscape client in this case, other
clients or telnet do.
Any other patterns are insufficient.
Regards,
Vinci
