Lotus Domino HTTP Vulnerability
New (3.1.3)
Impact
A remote attacker could read arbitrary files outside the
web root directory on the web server.
Background
The Lotus Domino
family of servers includes a web server which implements
the
Hypertext Transfer Protocol (HTTP). The Lotus
Domino HTTP server, like most servers, keeps all of the files
which are allowed to be viewed by a web browser under a
directory referred to as the web root.
The Problem
It is possible to view files outside the web root directory
by submitting a request in which the path name begins with
"/.nsf/../". It is possible to view any file on
the server in this fasion, so long as the attacker knows
the full path name of the file, and the file resides on the
same disk partition as the web root.
Note that not all browsers accept path names of the form
described above. So if you try to exploit this vulnerability
using your web browser and it doesn't work, it does not
necessarily mean your server is not vulnerable -- it could
be the browser that prevented that prevented the attempt.
Resolution
Upgrade to Lotus Domino version 5.0.7
or higher when it becomes available.
Alternatively, a possible workaround would be to create a
URL redirection or mapping within the Domino Server
administrative client, and to isolate the Domino Server
installation on its own partition.
Where can I read more about this?
This vulnerability was reported by
Windows IT Security.