Networks have a subnet mask that defines the type of sub-netting, as well as the network's broadcast address. Typically, a class C network (10.0.9.XXX without sub-netting) will have a range of valid IP addresses from 10.0.9.1 to 10.0.9.254, and its broadcast address will be 10.0.9.255 (since the netmask is 255.255.255.0). When a host on this class C network sends a packet to the broadcast address, all the other hosts belonging to the same class C will reply. It seems that one (or more) broadcast addresses in your class C can be reached externally. Make sure that this broadcast address belongs to your subnet before taking any action.

If you block or properly filter ICMP packets, then please disregard this vulnerability.

The exact number of Web servers behind a load balancer is difficult to determine, so the number reported here may not be accurate. Furthermore, the Netscape-Enterprise Version 3.6 servers are known to display an erroneous "Date:" field in the HTTP header when it receives a lot of requests. This also makes it difficult for us to determine if there is a load balancer device present.

By default, Lotus Domino is pre-configured with a Navigator called '$defaultNav'. This Navigator allows a remote client to view the 'visible views' in the requested database. If a remote attacker accesses this Navigator, sensitive information about the structure of the database may be disclosed. It is suggested that URL redirection based on pattern matching be implemented to prevent unauthorized access to this Navigator. This may not be sufficient as it is possible to manipulate an HTTP request to evade some patterns being matched.

Lotus Notes documents can be organized into 'Views' in Lotus Domino. To protect sensitive documents, it is possible to place ACLs on views. Lotus Domino contains a vulnerability in that it is possible to access any Notes document from any view simply by manually specifying the document's 'Note ID'. The behavior exhibited by Domino suggests that access controls are only applied when a document is being accessed through the appropriate view.

Some databases are created with 'template files'. These files are located in the same directory as the Notes database files, but have different file extensions. Because Domino retrieves requested Web files from locations on the filesystem corresponding to the file's extension, an attempt to access a template file will result in a 404 error. Despite this, it is possible to access a template by using it's 'Replica ID'. A Replica ID is a 16-digit value used when synchronizing database resources across different servers. By specifying the Replica ID, a malicious user can successfully request the Web Administrator template. Access to this template file may allow the user to view the contents of arbitrary Web server readable files on the filesystem.

Your Web server does not filter script embedding from links displayed on a server's Web site.

A malicious Web master can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded scripting is executed in the client's browser and treated as content originating from the target server returning the error message (even though the scripting may have originated at another site entirely).