[24933] in bugtraq
Re: KPMG-2002006: Lotus Domino Physical Path Revealed
daemon@ATHENA.MIT.EDU (Nicolas Gregoire)
Wed Apr 3 14:47:45 2002
From: Nicolas Gregoire <ngregoire@exaprobe.com>
To: bugtraq@securityfocus.com
Date: Sun, 03 Mar 2002 13:01:01 +0100
In-Reply-To: <000f01c1da51$354931c0$1f00a8c0@KPMGIRMPGRUNDL>
Message-Id: <2VFD04RMEC06VR42NHB8QNEAOJJFFA43.3c82107d@NICOLAS>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
02/04/2002 16:18:06, Peter Gründl <pgrundl@kpmg.dk> wrote :
>Problem:
>========
>Due to problems handling Windows DOS devices, the Domino Server
>can be brought to show the physical location of the web root.
>Corrective action:
>==================
>Upgrade to Lotus Domino V5.0.10, which can be downloaded here:
>http://www.notes.net/qmrdown.nsf
This upgrade solves the "banner disclosure" issue too, which was
presented to Bugtraq readers in my post regarding "physical path
disclosure" [1].
Apparently, the banner string was hard-coded in the "htcgibin.exe"
module ...
Thanks to Peter Gründl <pgrundl@kpmg.dk> for testing the lastest
Domino release for this bug.
[1] : http://online.securityfocus.com/archive/1/254768
Nicolas Gregoire
Exaprobe
