mailing list archives
Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS
From: "Dyson, Thom" <TDyson () SYBEX COM>
Date: Tue, 9 Jan 2001 08:49:54 -0800
These came to me from the Notes Admin List.
I don't the original author of this fix, so I can't give proper credit.
Add a File Protection Document in your PAB/DD:
Access Control: -Default- - No Access
Repeat this for .ns4 and .nsf (.ns3 and .ntf are not affected).
Once you do this, do "tell http restart" or bounce your server.
Well, as Lotus haven't released a fix for the *confirmed* bug, we
get a workaround. Adding the following line:
map */../* /something.nsf
at httpd.conf, seems to handle the bug. You should notice that
EVERYTHING using ../ links will stop working too, including the bug !
We tested this on NT4 sp6a and Domino 5.0.5, and we COULDN'T get
the bug working after those lines were added.
As we couldn't reproduce the bug on Linux Domino servers, and
seems that nobody could, we don't think adding those lines on Linux
httpd.conf servers is necessary.
Rodolfo Stein (rstein () persogo com br)
Solution Web ( http://www.solutionweb.com.br )
Solution one works. I have not tried solution 2.
Director of Information Services
- Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS Dyson, Thom (Jan 09)