Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org.
Lotus Domino HTTP Service contains a flaw that may allow a malicious user to gain inappropriate access to the cgi-bin directory. The issue is triggered when anonymous access to the cgi-bin directory is disabled. It is possible that the flaw may allow anonymous access to cgi-bin even when it has been turned off resulting in a loss of confidentiality.
Upgrade to version 5.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):
Redirect CGI handling as specified in the Lotus BUGTRAQ post:
* If the customer does not require the use of any CGI's, then the entire
/cgi-bin directory can be redirected to another URL (a Notes database, or
html file). If any "/cgi-bin" requests are made, they will be directed to
this URL and are not processed as CGI.
* If the customer does require the use of CGI's the following setup will be
1) In the HTTP section of the Server Document, change the "CGI URL path"
field to a different URL path. This does not require a change for the "CGI
directory" field, such that the location on the hard drive for CGI's will
remain the same. Only the URL which invokes CGI's will be altered.
Example: The default CGI URL path is "/cgi-bin"; change this to
"/scripts/cgi-bin". Now, whenever a /cgi-bin request is made, it is
recognized as a URL instead of a CGI.
2) Create a URL Redirect document in the DOMCFG.NSF for each specific CGI
that resides on the server. Specify the incoming URL path as "/cgi-bin",
and the redirection URL as "/scripts/cgi-bin".