Home page logo

bugtraq logo Bugtraq mailing list archives

Lotus Domino 5.0.5 Web Server vulnerability WORK AROUNDS
From: "Dyson, Thom" <TDyson () SYBEX COM>
Date: Tue, 9 Jan 2001 08:49:54 -0800

These came to me from the Notes Admin List.

-------Solution 1---------
I don't the original author of this fix, so I can't give proper credit.

Add a File Protection Document in your PAB/DD:

Path:     /.box/../

Access Control:     -Default- - No Access

Repeat this for .ns4 and .nsf (.ns3 and .ntf are not affected).

Once you do this, do "tell http restart" or bounce your server.

-------Solution 2---------
Well, as Lotus haven't released a fix for the *confirmed* bug, we
get a workaround. Adding the following line:

map */../* /something.nsf

         at httpd.conf, seems to handle the bug. You should notice that
EVERYTHING using ../ links will stop working too, including the bug !

         We tested this on NT4 sp6a and Domino 5.0.5, and we COULDN'T get
the bug working after those lines were added.

         As we couldn't reproduce the bug on Linux Domino servers, and
seems that nobody could, we don't think adding those lines on Linux
httpd.conf servers is necessary.

        Rodolfo Stein (rstein () persogo com br)
         Solution Web ( http://www.solutionweb.com.br )

Solution one works.  I have not tried solution 2.

Thom Dyson
Director of Information Services
Sybex, Inc.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]