BugTraq
Re: Lotus Domino DOT Bug Allows for Source Code Viewing Feb 13 2003 12:03AM
JRedmond ymcastlouis org

"Faz" <faz (at) attbi (dot) com [email concealed]> wrote:
> Through some testing against some Lotus Domino web servers (verified in
version 5 & 6), if you append a period to the end of a non-default Lotus
file type (non .NSF, .NTF, etc) via your browser URL request, you will be
prompted to download the file.

I have been unable to recreate this on Domino 5.0.11, running on OS/400
V5R1. I get a 404 instead, whether I use MSIE or Mozilla or Opera, whether
the trailing dot is present or not, and whether my connection is anonymous
or name-and-password authenticated.

The difference here probably lies in the "Does this server use IIS?" option
on the Domino Server Document (as maintained by the server's
administrator). If checked, IIS handles all HTTP requests first. If this
option is enabled, and the request is for non-Domino traffic (such as the
examples listed in the original message), Domino does not receive the
request. I have this option disabled on the system I tested; that
particular operating system is not blessed with IIS.

Please check Microsoft's knowledge base and this list's archives to see if
this is another IIS bug. If that's the case, then it may be why Lotus is
"not too concerned about this" - it's nothing they can fix.

************************************
James Redmond, Domino Administrator
YMCA of Greater St. Louis
+1-314-436-1177 ext. 326
FAX +1-314-436-1901
jredmond (at) ymcastlouis (dot) org [email concealed]
************************************

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus