Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Lotus Response to "Domino Server Directory Traversal Vulnerability"
From: Vinci Chou <Captainbig () BIGFOOT COM>
Date: Thu, 11 Jan 2001 14:50:54 +0800

Katherine Spanbauer wrote:

 Lotus has published the following statement regarding the recently
 issue "Domino Server Directory Traversal Vulnerability".  This
 will be posted to the Lotus web site at

   + "Mapping" tab
          Incoming URL:  */../*

I noticed that the page at www.lotus.com/security was updated minutes
ago to say
          Incoming URL: *..*
instead of
          Incoming URL:  */../*

because the latter can be bypassed if a "/" is replaced by "\" as
pointed out by others in the LNotes-L mailing list.  Though you won't
get the "\" to work if you use Netscape client in this case, other
clients or telnet do.

Any other patterns are insufficient.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]