Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Lotus Response to "Domino Server Directory Traversal Vulnerability"
From: Vinci Chou <Captainbig () BIGFOOT COM>
Date: Thu, 11 Jan 2001 14:50:54 +0800

Katherine Spanbauer wrote:

 Lotus has published the following statement regarding the recently
reported
 issue "Domino Server Directory Traversal Vulnerability".  This
information
 will be posted to the Lotus web site at
http://www.lotus.com/security.

   + "Mapping" tab
          Incoming URL:  */../*

I noticed that the page at www.lotus.com/security was updated minutes
ago to say
          Incoming URL: *..*
instead of
          Incoming URL:  */../*

because the latter can be bypassed if a "/" is replaced by "\" as
pointed out by others in the LNotes-L mailing list.  Though you won't
get the "\" to work if you use Netscape client in this case, other
clients or telnet do.

Any other patterns are insufficient.

Regards,
Vinci


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault