Bugtraq mailing list archives
Re: Lotus Domino DOT Bug Allows for Source Code Viewing
From: JRedmond () ymcastlouis org
Date: Wed, 12 Feb 2003 18:03:14 -0600
"Faz" <faz () attbi com> wrote:
Through some testing against some Lotus Domino web servers (verified in
version 5 & 6), if you append a period to the end of a non-default Lotus file type (non .NSF, .NTF, etc) via your browser URL request, you will be prompted to download the file. I have been unable to recreate this on Domino 5.0.11, running on OS/400 V5R1. I get a 404 instead, whether I use MSIE or Mozilla or Opera, whether the trailing dot is present or not, and whether my connection is anonymous or name-and-password authenticated. The difference here probably lies in the "Does this server use IIS?" option on the Domino Server Document (as maintained by the server's administrator). If checked, IIS handles all HTTP requests first. If this option is enabled, and the request is for non-Domino traffic (such as the examples listed in the original message), Domino does not receive the request. I have this option disabled on the system I tested; that particular operating system is not blessed with IIS. Please check Microsoft's knowledge base and this list's archives to see if this is another IIS bug. If that's the case, then it may be why Lotus is "not too concerned about this" - it's nothing they can fix. ************************************ James Redmond, Domino Administrator YMCA of Greater St. Louis +1-314-436-1177 ext. 326 FAX +1-314-436-1901 jredmond () ymcastlouis org ************************************
Current thread:
- Lotus Domino DOT Bug Allows for Source Code Viewing Faz (Feb 12)
- <Possible follow-ups>
- Re: Lotus Domino DOT Bug Allows for Source Code Viewing JRedmond (Feb 13)