Re: bugtraq id 2173 Lotus Domino Server

[Hendrik-Jan Verheij <h.j.verheij () POPIN NL>]

Thanks to Ninke Westra for testing this...

The same problem as in my previous post exists in this case

If you append a phoney directory to the  url passed on to the webserver the exploit will still work, however you have 
to back out an extra time.

example url:

target.victim.com/nonexistingdir/.nsf/../../fileyouwanttoget 
This makes the url redirection solution less obvious to guess, but it still leaves you vulnerable.

Regards,

Hendrik-Jan Verheij  http://redheat.org
Hostmaster Popin Internet    +3174 2555770
h.j.verheij () popin nl    http://www.popin.nl
Assimilation is irrelevant, You are futile!
  ----- Original Message ----- 
  From: Alan Bell 
  To: BUGTRAQ () SECURITYFOCUS COM 
  Sent: Tuesday, January 09, 2001 12:02 PM
  Subject: bugtraq id 2173 Lotus Domino Server



  Further information on this issue: 

  1) This issue has been reproduced on several versions of domino prior to 5.0.5 
  2) My testing has failed to reproduce this issue on Linux and OS/400 (AS/400) 
  3) To secure your boxes create 3 file protection documents for each server granting no access to the following paths. 

  /.nsf/../ 
  /.box/../ 
  /.ns4/../ 

  the other common domino extensions .ns3 and .ntf do not appear to be vulnerable. This is not a Lotus supported 
solution (as yet) so there may be additional similar paths with this behaviour. You should watch http://www.notes.net 
for an upgrade which will probably appear as 5.0.6a. 

  Alan.