Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS

["Dyson, Thom" <TDyson () SYBEX COM>]

These came to me from the Notes Admin List.


-------Solution 1---------
I don't the original author of this fix, so I can't give proper credit.

Add a File Protection Document in your PAB/DD:

Path:     /.box/../

Access Control:     -Default- - No Access

Repeat this for .ns4 and .nsf (.ns3 and .ntf are not affected).

Once you do this, do "tell http restart" or bounce your server.


-------Solution 2---------
> Well, as Lotus haven't released a fix for the *confirmed* bug, we
> get a workaround. Adding the following line:
>
> map */../* /something.nsf
>
>          at httpd.conf, seems to handle the bug. You should notice that
> EVERYTHING using ../ links will stop working too, including the bug !
>
>          We tested this on NT4 sp6a and Domino 5.0.5, and we COULDN'T get
> the bug working after those lines were added.
>
>          As we couldn't reproduce the bug on Linux Domino servers, and
> seems that nobody could, we don't think adding those lines on Linux
> httpd.conf servers is necessary.
>
>          Sincerily,
>         Rodolfo Stein (rstein () persogo com br)
>          Solution Web ( http://www.solutionweb.com.br )



Solution one works.  I have not tried solution 2.

Thom Dyson
Director of Information Services
Sybex, Inc.