Lotus Information for VU#590487

Lotus Domino vulnerable to directory traversal, aka "Domino Server Directory Transversal Vulnerability"

Status

Affected

Vendor Statement

Lotus Notes Domino R4.x is not vulnerable to this issue.

Lotus Notes Domino R5.x is vulnerable to this issue.

Additional notes:

What is the nature of the vulnerability?
Given a known path and file name, files can accessed from the Domino
server.  This is limited to the file system (or drive) that the Domino
server is installed on.  It is not possible to browse the file system, but
if a file name can be correctly guessed at, it can be accessed.

What versions of Domino are affected?
R5.0 - R5.06 on all operating system platforms (this includes products
running on Domino R5.x as the web server)
R4x is not affected

How can I track this issue?
The SPR (Software Problem Report) number is KSPR4SPQ5S.  Issues can be
tracked via the Fix List database on Notes.net -->
http://www.notes.net/R5FixList.nsf

Are there workarounds available?
There are several measures that can be taken to reduce, but not completely
eliminate, the risk of this vulnerability.  A code fix is currently in
progress and will be made available shortly.

To address the specific issue documented in the advisory, File Protection
documents can be used.  However, it does not address some related issues.
The planned QMU will be required to address this issue completely.

In the Domino Directory, select the server document and click Web/Create
File Protection.
On the Basics tab, in the path field, specify the following extensions (one
document for each path)

     /.nsf/../
    /.ns4/../
    /.box/../

On the Access Control tab, specify Default as No Access.

Other steps to minimize risk:
Limit files stored on the file system where Domino is installed
Password protect the server id
Locally encrypt system databases (and other databases with easily guessable
file names) with the server's id
Rename the server id to something other than server.id
Rename the notes.ini file and launch the server specifying the notes.ini
file

What are Lotus' plans to address this issue?
Lotus is treating this with the highest priority and has a fix being tested
now.   The release number will be R5.0.6a and it will be posted to
http://notes.net as soon as it is available.  We are currently targeting
the end of this week (13-Jan-01).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

We are aware of public reports that Notes/Domino 4 is also vulnerable to this issue. We have not been able to reproduce that behavior. Additionally, our conversations with Lotus indicate they are aware of the reports as well, but likewise do not believe that version 4 is affected. We will continue investigating.

If you have feedback, comments, or additional information about this vulnerability, please send us email.