Re: KPMG-2002006: Lotus Domino Physical Path Revealed

From: Nicolas Gregoire (ngregoireat_private)
Date: Sun Mar 03 2002 - 04:01:01 PST

Next message: martin f krafft: "Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1"

Previous message: Phil: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

02/04/2002 16:18:06, Peter Gründl <pgrundlat_private> wrote :

>Problem:
>========
>Due to problems handling Windows DOS devices, the Domino Server
>can be brought to show the physical location of the web root.

>Corrective action:
>==================
>Upgrade to Lotus Domino V5.0.10, which can be downloaded here:
>http://www.notes.net/qmrdown.nsf

This upgrade solves the "banner disclosure" issue too, which was 
presented to Bugtraq readers in my post regarding "physical path 
disclosure" [1].

Apparently, the banner string was hard-coded in the "htcgibin.exe" 
module ...

Thanks to Peter Gründl <pgrundlat_private> for testing the lastest 
Domino release for this bug.

[1] : http://online.securityfocus.com/archive/1/254768


Nicolas Gregoire
Exaprobe

Next message: martin f krafft: "Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1"
Previous message: Phil: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 11:44:39 PST