Lotus Domino Server Double Dot Arbitrary File Access

2001-01-05T00:00:00
ID OSVDB:1703
Type osvdb
Reporter OSVDB
Modified 2001-01-05T00:00:00

Description

Vulnerability Description

Lotus Domino contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a URL is requested containing '.nsf/..' and a directory traversal occurs, which will disclose the contents of arbitrary files on the server filesystem resulting in a loss of confidentiality.

Solution Description

Upgrade to version 5.0.6a or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Redirect URLS containing '..' to a real URL.

Short Description

Lotus Domino contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a URL is requested containing '.nsf/..' and a directory traversal occurs, which will disclose the contents of arbitrary files on the server filesystem resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Snort Signature ID: 1072 Nessus Plugin ID:11344 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-01/0070.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-01/0143.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-01/0193.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-01/0120.html Keyword: Directory Traversal ISS X-Force ID: 5899 CVE-2001-0009 CERT VU: 590487 Bugtraq ID: 2173