CVE-2002-0407

Name of the Vulnerable Software and Affected Versions Lotus Domino server versions 5.0.9a and earlier

Description The issue allows remote attackers to determine the physical pathname for the server via specific requests. This can be achieved by sending requests that contain certain MS-DOS device names, such as com5, or by including a large number of periods in the request, which causes htcgibin.exe to leak the pathname in an error message. Requests with .pl or .java extensions can also be used to exploit this.

Recommendations For Lotus Domino server versions 5.0.9a and earlier, consider restricting access to htcgibin.exe until a fix is available. As a temporary workaround, avoid using MS-DOS device names in requests and limit the number of periods in URLs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.