mailing list archives
Lotus Response to "Domino Server Directory Traversal Vulnerability"
From: Katherine Spanbauer <Katherine_Spanbauer () LOTUS COM>
Date: Tue, 9 Jan 2001 21:16:22 -0500
Lotus has published the following statement regarding the recently reported
issue "Domino Server Directory Traversal Vulnerability". This information
will be posted to the Lotus web site at http://www.lotus.com/security.
Product Manager, Notes and Domino Security
Lotus Development Corporation
katherine_spanbauer () lotus com
What is the nature of the vulnerability?
Given a known path and file name, files may accessed from a Domino server
running the HTTP task. This is limited to the file system (or drive) on
which the Domino server is installed. It is not possible to browse the
file system, but if a file name can be correctly guessed at, it can be
What versions of Domino are affected?
R5.0 - R5.0.6
R4x is not affected
How can I track this issue?
The SPR (Software Problem Report) number is KSPR4SPQ5S. When an SPR is
fixed, it is posted in the Fix List database on Notes.net -->
What are Lotus' plans to address this issue?
Lotus is treating this with the highest priority and has a fix being tested
now. This fix is planned for R5.0.6a and it will be posted to
http://notes.net as soon as it is available. We are currently targeting
the end of this week (13-Jan-01). If the schedule changes, this document
will be updated.
Is there a workaround available?
Yes. Until R5.0.6a is available, the following workaround is recommended:
Open the Administration Client
Select the server you want to administer
"Configuration" tab / "Server" section / Current server document :
Press the "Web" button
Select "Create URL mapping/redirection"
In the URL redirection document
+ "Basics" tab
Select: URL ---> Redirection URL
+ "Mapping" tab
Incoming URL: */../*
Redirection URL: [the URL you want to redirect to, for example "
Save the document
Restart the HTTP task
Miha Vitorovic of NIL Data Communications and Leonardo Rodrigues of
Solution Web posted similar solutions to the list and we acknowledge and
appreciate their contributions.
- Lotus Response to "Domino Server Directory Traversal Vulnerability" Katherine Spanbauer (Jan 10)