Lotus Domino HTTP Vulnerability

New (3.1.3)

Impact

A remote attacker could read arbitrary files outside the web root directory on the web server.

Background

The Lotus Domino family of servers includes a web server which implements the Hypertext Transfer Protocol (HTTP). The Lotus Domino HTTP server, like most servers, keeps all of the files which are allowed to be viewed by a web browser under a directory referred to as the web root.

The Problem

It is possible to view files outside the web root directory by submitting a request in which the path name begins with "/.nsf/../". It is possible to view any file on the server in this fasion, so long as the attacker knows the full path name of the file, and the file resides on the same disk partition as the web root.

Note that not all browsers accept path names of the form described above. So if you try to exploit this vulnerability using your web browser and it doesn't work, it does not necessarily mean your server is not vulnerable -- it could be the browser that prevented that prevented the attempt.

Resolution

Upgrade to Lotus Domino version 5.0.7 or higher when it becomes available. Alternatively, a possible workaround would be to create a URL redirection or mapping within the Domino Server administrative client, and to isolate the Domino Server installation on its own partition.

Where can I read more about this?

This vulnerability was reported by Windows IT Security.