[18493] in bugtraq

home help back first fref pref prev next nref lref last post

bugtraq id 2173 Lotus Domino Server

daemon@ATHENA.MIT.EDU (Alan Bell)
Tue Jan 9 13:17:54 2001

Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=_alternative 003D1D87802569CF_="
Message-Id:  <OF17A76F1D.75391A51-ON802569CF.003BA1A5@intec.co.uk>
Date:         Tue, 9 Jan 2001 11:02:32 +0000
Reply-To: ABell@INTEC.CO.UK
From: Alan Bell <ABell@INTEC.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multipart message in MIME format.
--=_alternative 003D1D87802569CF_=
Content-Type: text/plain; charset="us-ascii"

Further information on this issue:

1) This issue has been reproduced on several versions of domino prior to
5.0.5
2) My testing has failed to reproduce this issue on Linux and OS/400
(AS/400)
3) To secure your boxes create 3 file protection documents for each server
granting no access to the following paths.

/.nsf/../
/.box/../
/.ns4/../

the other common domino extensions .ns3 and .ntf do not appear to be
vulnerable. This is not a Lotus supported solution (as yet) so there may
be additional similar paths with this behaviour. You should watch
http://www.notes.net for an upgrade which will probably appear as 5.0.6a.

Alan.
--=_alternative 003D1D87802569CF_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2 face="sans-serif">Further information on this issue:</font>
<br>
<br><font size=2 face="sans-serif">1) This issue has been reproduced on several versions of domino prior to 5.0.5</font>
<br><font size=2 face="sans-serif">2) My testing has failed to reproduce this issue on Linux and OS/400 (AS/400)</font>
<br><font size=2 face="sans-serif">3) To secure your boxes create 3 file protection documents for each server granting no access to the following paths.</font>
<br>
<br><font size=2 face="sans-serif">/.nsf/../</font>
<br><font size=2 face="sans-serif">/.box/../</font>
<br><font size=2 face="sans-serif">/.ns4/../</font>
<br>
<br><font size=2 face="sans-serif">the other common domino extensions .ns3 and .ntf do not appear to be vulnerable. This is not a Lotus supported solution (as yet) so there may be additional similar paths with this behaviour. You should watch http://www.notes.net for an upgrade which will probably appear as 5.0.6a.</font>
<br><font size=2 face="sans-serif"><br>
Alan.</font>
--=_alternative 003D1D87802569CF_=--
home help back first fref pref prev next nref lref last post