TUCoPS :: Web :: Servers :: web5989.htm

Lotus Domino DOT Bug Allows for Source Code Viewing
13th Feb 2003 [SBWID-5989]
COMMAND

	Lotus Domino DOT Bug Allows for Source Code Viewing

SYSTEMS AFFECTED

	Verified in Lotus Domino version 5 & 6

PROBLEM

	Faz [faz@attbi.com] found :
	
	If you append a period to the end of a non-default Lotus file type  (non
	.NSF, .NTF, etc) via your browser URL request, you will be  prompted  to
	download the file. This has a possible repercussion of  the  ability  to
	view the source code for  such  add-in  web  handlers  such  as  Crystal
	Reports, Perl scripts  and  others.  In  some  cases  (such  as  Crystal
	Reports) where such file types are server-side run  (similar  to  .ASP),
	they may reference additional INCLUDE  files  that  contain  logins  and
	passwords. An attacker  can  easily  use  this  technique  to  view  the
	server-side source code and additional INCLUDE files to  obtain  private
	information.
	
	For example:
	
	http://some.dominoserver.com/reports/secretreport.csp. <-- End the URL with a <period>
	http://some.dominoserver.com/cgi-bin/myscript.pl . <-- notice the <space><period>
	http://some.dominoserver.com/cgi-bin/runme.exe%20. <-- combination of hex <space> and an ASCII period
	http://some.dominoserver.com/reports/secretreport.csp%20%2E <-- All hex values
	
	will return the actual .CSP source code instead of the compiled  report.
	This seems to work for all types of non-native Lotus Domino file  types.
	A short term workaround is to create Domino redirection filters for  the
	various non-native file types and  ending  them  with  the  combinations
	above, but some creative formatting of the URL can easily  bypass  these
	redirection filters.

SOLUTION

	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH