Lotus Domino DOT Bug Allows for Source Code Viewing

Through some testing against some Lotus Domino web servers (verified in
version 5 & 6), if you append a period to the end of a non-default Lotus
file type (non .NSF, .NTF, etc) via your browser URL request, you will be
prompted to download the file. This has a possible repercussion of the
ability to view the source code for such add-in web handlers such as Crystal
Reports, Perl scripts and others. In some cases (such as Crystal Reports)
where such file types are server-side run (similar to .ASP), they may
reference additional INCLUDE files that contain logins and passwords. An
attacker can easily use this technique to view the server-side source code
and additional INCLUDE files to obtain private information.

For example:
http://some.dominoserver.com/reports/secretreport.csp. <– End the URL with
a <period>
http://some.dominoserver.com/cgi-bin/myscript.pl . <– notice the
<space><period>
http://some.dominoserver.com/cgi-bin/runme.exe&#37;20. <– combination of hex
<space> and an ASCII period
http://some.dominoserver.com/reports/secretreport.csp&#37;20&#37;2E <– All hex
values
will return the actual .CSP source code instead of the compiled report. This
seems to work for all types of non-native Lotus Domino file types. A short
term workaround is to create Domino redirection filters for the various
non-native file types and ending them with the combinations above, but some
creative formatting of the URL can easily bypass these redirection filters.

Lotus has been notified, and during the initial report, was not too
concerned about this. It has been passed to development for further
consideration. Maybe getting the word out about this will apply some
pressure to Lotus to issue a fix.