A Bugtraq posting titled, "Lotus Domino DOT Bug Allows for Source Code Viewing" suggests that the Domino web server is vulnerable to a problem that allows a user to download files from the server. Is this true?
Lotus Software Quality Engineering has investigated these issues and determined that this does not represent a security vulnerability.
Case #1: Appending a period to the end of a URL for a Perl script or an .EXE results in an error on both Domino R5 and 6 code streams. The error returned is:
"HTTP Status Code: 500"
"Reason: Unable to execute script"
Case #2: Appending a period to the end of a URL for files such as Crystal Reports may result in the user being prompted to download the file. This is a configuration issue. If you have a directory rule that points to a directory which contains files, and you then enter a URL which will point to that directory and file, the web server will download the file that is being asked for (for more information on Directory Rules, please see, "What are Directory Rules and Where are They Set" below). If there is no MIME type specified HTTPD.CNF for the file in question, it will default to application/octet-stream which will cause the browser to prompt to download the file. In either case, directory rules always will result in the file being sent to the browser. The results of this case are consistent with the configuration of a directory rule.
In general, if you are not careful about specifying rules, CGI vs. directory rules, you can open up the server and allow people to download files. CGI rules tell the web server to execute the file, whereas directory rules tell the web server to download the file to the client. By default the only directory rules that are configured are /* and /domjava/* and /icons/* which point to the data\domino\html directory and the data\domino\java applet and data\domino\icon directories. If you configure a CGI directory with a directory rule then all files in the CGI directory can be downloaded to the client.
What are Directory Rules and Where are They Set
The following is an excerpt from the Domino Administrator's Guide:
A directory rule maps a file-system directory to a URL pattern. When the Web server receives a URL that matches the pattern, the server assumes that the URL is requesting a resource from that directory.
When you install a Domino 6 Web server, several file-resource directories are created automatically. These default directories are mapped by directory rules that are defined on the Configuration tab of the Web Site document. When the Web server starts up, it automatically creates internal rules to map these directories to URL patterns. The three default directories are:
- HTML directory for non-graphic files.
- Icon directory for graphic images such as .GIFs.
- CGI directory for CGI programs.
Directory rules can only be used to map the location of files that are to be read directly (such as HTML files and graphic files) and executable programs to be loaded and run by the operating system (such as CGI programs). Directory rules cannot be used to map the location of other types of resources, such as Domino databases or Java servlets.
When you create a Directory Web Site rule, you specify read or execute access to a file-system directory. It is critically important to choose the right access. Only directories that contain CGI programs should be enabled for Execute access. All other directories should have Read access. If you specify the wrong access level, unexpected results will occur. For example, if you mark a CGI directory for Read access, when a browser user sends a URL for a CGI program, the server will return the source code of the program instead of executing it, which could be a serious security breach.
Directory rules cannot override file-access permissions enforced by the operating system.
Note: Access level is inherited by all subdirectories under the specified directory.