Lotus Domino CGI Directory Path Disclosure

1999-12-21T00:00:00
ID OSVDB:50
Type osvdb
Reporter OSVDB
Modified 1999-12-21T00:00:00

Description

Vulnerability Description

Lotus Domino HTTP Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a URL with a non-existent cgi-bin program is called, which will disclose the actual path information resulting in a loss of confidentiality.

Technical Description

When a non-existent program in /cgi-bin/ is called, the error message returned discloses the actual path of the cgi-bin directory. This may provide information for an attacker for further attacks.

Lotus did not see the error message as a security issue and provided workarounds but not a fix. See the external refs.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): 1) If no CGI programs are needed, redirect the /cgi-bin directory to a notes database or html file. 2) If CGI programs are needed, change the CGI URL path under the HTTP section of the Server Document to a different URL path such as /scripts/cgi-bin. Then, under DOMCFG.NSF, create a URL document that specifies /cgi-bin as the incoming URL path and redirects it to /scripts/cgi-bin.

Short Description

Lotus Domino HTTP Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a URL with a non-existent cgi-bin program is called, which will disclose the actual path information resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Related OSVDB ID: 51 Nessus Plugin ID:10058 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0476.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0404.html ISS X-Force ID: 4389 Generic Exploit URL: http://www.securityfocus.com/archive/1/177217 CVE-2000-0021 Bugtraq ID: 881