Vulnerability

    Lotus Notes

Affected

    Lotus Notes R5.0 - R5.0.6

Description

    Lotus has published the following statement regarding the recently
    reported issue "Domino Server Directory Traversal  Vulnerability".
    This information will be posted to the Lotus web site.

    Given a known path and file name, files may accessed from a Domino
    server running the HTTP task.  This is limited to the file  system
    (or drive) on  which the Domino  server is installed.   It is  not
    possible to  browse the  file system,  but if  a file  name can be
    correctly guessed at, it can be accessed.

    R4x is not affected.

    Acknowledgments goes to Miha Vitorovic of NIL Data  Communications
    and  Leonardo  Rodrigues  of  Solution  Web  that  posted  similar
    solutions to the list  and Lotus acknowledge and  appreciate their
    contributions.

Solution

    The SPR (Software Problem Report)  number is KSPR4SPQ5S.  When  an
    SPR is fixed, it is posted in the Fix List database on Notes.net:

        http://www.notes.net/R5FixList.nsf

    Lotus is  treating this  with the  highest priority  and has a fix
    being tested now.    This fix is planned  for R5.0.6a and it  will
    be posted to http://notes.net as  soon as it is available.   Until
    R5.0.6a is available, the following workaround is recommended:

        * Open the Administration Client
        * Select  the server  you want  to administer  "Configuration"
          tab / "Server" section / Current server document :
          - Press the "Web" button
          - Select "Create URL mapping/redirection"
        * In the URL redirection document
          + "Basics" tab
          - Select: URL ---> Redirection URL
          + "Mapping" tab
          - Incoming URL:  *..*
          - Redirection  URL: [the  URL you  want to  redirect to, for
            example " http://hostname/homepage.nsf"]
        * Save the document
        * Restart the HTTP task