This document is intended to address the "Domino Server Directory Traversal Vulnerability" recently reported at http://www.securityfocus.com and can be used for discussing this issue with customers. This will be posted shortly to the Lotus Security Zone web site at http://www.lotus.com/security. Any updates to this document will be posted there, so please refer to that copy for the latest information.
What is the nature of the vulnerability?
Given a known path and file name, files may accessed from a Domino server running the HTTP task. This is limited to the file system (or drive) on which the Domino server is installed. It is not possible to browse the file system, but if a file name can be correctly guessed at, it can be accessed.
What versions of Domino are affected?
R5.0 - R5.0.6
R4x is not affected
How can I track this issue?
The SPR (Software Problem Report) number is KSPR4SPQ5S. When an SPR is fixed, it is posted in the Fix List database on Notes.net --> http://www.notes.net/R5FixList.nsf
What are Lotus' plans to address this issue?
Lotus is treating this with the highest priority and has a fix being tested now. This fix is planned for R5.0.6a and it will be posted to http://notes.net as soon as it is available.
Is there a workaround available?
Yes. Until R5.0.6a is available, the following workaround is recommended:
Open the Administration Client
Select the server you want to administer
"Configuration" tab / "Server" section / Current server document :
Press the "Web" button
Select "Create URL mapping/redirection"
In the URL redirection document
+ "Basics" tab
Select: URL ---> Redirection URL
+ "Mapping" tab
Incoming URL: *..*
Redirection URL: [the URL you want to redirect to, for example "http://hostname/homepage.nsf"]
Save the document
Restart the HTTP task
Return to top
Official Lotus Response to "Domino ... (Katherine Spanb... 9.Jan.01) 
. . 
Print this page
