Vulnerability

    Lotus Domino

Affected

    Lotus Domino 5.0.5 Web Server

Description

    Following is  based on  a Georgi  Guninski security  advisory #32.
    Lotus Domino Web Server under Windows 2000 (have not tested  other
    versions) allows reading files outside the web root.  The  problem
    are URLs like:

        http://TARGETDOMINO/.nsf/../winnt/win.ini

    which read c:\winnt\win.ini.

    Note that above URL does not work in IE - for some strange reasons
    IE strips .nsf/../ so try it from Netscape or direct HTTP request.

    This issue has been reproduced on several versions of domino prior
    to 5.0.5.

    Some  people  come  up  with  following  workarounf:  add  a  File
    Protection Document in your PAB/DD:

        Path:     /.box/../
        Access Control:     -Default- - No Access

    Repeat this for  .ns4 and .nsf  (.ns3 and .ntf  are not affected).
    Once you do  this, do "tell  http restart" or  bounce your server.
    This workaround does not always work.  Try:

        http://TARGETDOMINO/.nsf/AAA/../../FILE

Solution

    Lotus has been able to  reproduce the vulnerability and shall  fix
    it in an upcomming release.

    The reason half  of the people  attempting to verify  this came up
    with file not found is most likely the fact that they were  trying
    to download something from  the %systemroot%, given this  example.
    If Domino was installed on  a different drive than your  OS, these
    particular files are not  available thanks to this  security hole.
    The only (ha, only!) things  available are items installed on  the
    same drive as your Domino installation.