COMMAND

	Lotus Domino DOT Bug Allows for Source Code Viewing

SYSTEMS AFFECTED

	Verified in Lotus Domino version 5 & 6

PROBLEM

	Faz [faz@attbi.com] found :
	
	If you append a period to the end of a non-default Lotus file type  (non
	.NSF, .NTF, etc) via your browser URL request, you will be  prompted  to
	download the file. This has a possible repercussion of  the  ability  to
	view the source code for  such  add-in  web  handlers  such  as  Crystal
	Reports, Perl scripts  and  others.  In  some  cases  (such  as  Crystal
	Reports) where such file types are server-side run  (similar  to  .ASP),
	they may reference additional INCLUDE  files  that  contain  logins  and
	passwords. An attacker  can  easily  use  this  technique  to  view  the
	server-side source code and additional INCLUDE files to  obtain  private
	information.
	
	For example:
	
	http://some.dominoserver.com/reports/secretreport.csp. <-- End the URL with a <period>
	http://some.dominoserver.com/cgi-bin/myscript.pl . <-- notice the <space><period>
	http://some.dominoserver.com/cgi-bin/runme.exe%20. <-- combination of hex <space> and an ASCII period
	http://some.dominoserver.com/reports/secretreport.csp%20%2E <-- All hex values
	
	will return the actual .CSP source code instead of the compiled  report.
	This seems to work for all types of non-native Lotus Domino file  types.
	A short term workaround is to create Domino redirection filters for  the
	various non-native file types and  ending  them  with  the  combinations
	above, but some creative formatting of the URL can easily  bypass  these
	redirection filters.

SOLUTION

	None yet