Through some testing against some Lotus Domino web servers (verified in version 5 & 6), if you append a period to the end of a non-default Lotus file type (non .NSF, .NTF, etc) via your browser URL request, you will be prompted to download the file. This has a possible repercussion of the ability to view the source code for such add-in web handlers such as Crystal Reports, Perl scripts and others. In some cases (such as Crystal Reports) where such file types are server-side run (similar to .ASP), they may reference additional INCLUDE files that contain logins and passwords. An attacker can easily use this technique to view the server-side source code and additional INCLUDE files to obtain private information. For example: http://some.dominoserver.com/reports/secretreport.csp. <-- End the URL with a <period> http://some.dominoserver.com/cgi-bin/myscript.pl . <-- notice the <space><period> http://some.dominoserver.com/cgi-bin/runme.exe%20. <-- combination of hex <space> and an ASCII period http://some.dominoserver.com/reports/secretreport.csp%20%2E <-- All hex values will return the actual .CSP source code instead of the compiled report. This seems to work for all types of non-native Lotus Domino file types. A short term workaround is to create Domino redirection filters for the various non-native file types and ending them with the combinations above, but some creative formatting of the URL can easily bypass these redirection filters. Lotus has been notified, and during the initial report, was not too concerned about this. It has been passed to development for further consideration. Maybe getting the word out about this will apply some pressure to Lotus to issue a fix.
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 14:58:56 PST