[ISN] A glitch in Domino?

From: mea culpa (jerichot_private)
Date: Fri Oct 16 1998 - 16:17:04 PDT

  • Next message: mea culpa: "[ISN] REVIEW: "Web Security Sourcebook""

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimet_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981016171321.24976gt_private>
    A glitch in Domino?
    By Erich Luening
    Staff Writer, CNET News.com
    October 16, 1998, 12:25 p.m. PT
    URL: http://www.news.com/News/Item/0,4,27647,00.html
    Bug-busting group L0pht has posted an advisory on its Web site warning
    Lotus Domino users and application developers of a glitch which occurs
    with some applications based on the Web server and opens up sensitive
    information to any user on the Internet. 
    The Boston, Massachusetts-based company has received reports regarding the
    "vulnerability." Those reports say the glitch affects Web sites created by
    Lotus Business Partners who provide training services and accept credit
    cards over the Web. However, in theory, L0pht said the problem could
    extend to any e-commerce site. 
    Although it has not released an official comment on the advisory, a Lotus
    spokesman told CNET News.com that the company is aware of the alleged
    glitch and is currently contacting customers to figure out its legitimacy.
    It is expected to respond to the advisory soon. 
    L0pht said it contacted Lotus Business Partners, which confirmed that it
    is affected by the problem, but the bug-busting group said it does not
    want to "place blame on the software vendor or on the applications
    "The advisory is designed to alert customers that they should be wary of
    putting sensitive information into Web applications," LOpht said. 
    Detailing the problem, L0pht said Web users can navigate to the portion of
    the site used for processing registration and payment information and
    remove everything to the right of the database name in the URL, typically
    ending in .nsf . 
    In one example, all the database views were exposed which included a view
    containing previous registrations and a view containing "All documents." 
    These views then could be accessed by clicking on the link and browsing
    the data within the view, which typically consists of business and
    customer names, addresses, phone numbers, and payment information. 
    The problem may be related to the way in which the application built on
    the Domino platform was designed, or just plain ignorance on the part of
    the application developer, but because the biggest concern by consumers
    using the Web to purchase goods and participate in e-commerce is
    protecting sensitive information, the issue warrants attention, L0pht
    To test for the vulnerability, L0pht advises users to navigate through a
    Domino site, and once a database has been accessed, remove the information
    after the .nsf or after the first set of numbers following the server
    portion of the URL and replace it with "?Open". If the user is then
    presented with a list of views, the site is potentially vulnerable to
    allow anonymous users access to the information contained within the views
    in that list. 
    For a temporary solution, the sites affected could have been protected
    using reader and author names fields to prevent unauthorized access to
    their clients data. The internal registration views could have been hidden
    from anonymous users. Additionally, every Domino site should disallow
    anonymous access for at least these databases: names.nsf; catalog.nsf;
    log.nsf;  domlog.nsf; and domcfg.nsf. 
    For more information L0pht recommends contacting the author of the
    advisory via email at nardot_private 
    In January, L0pht posted another advisory on Domino. The problem was not
    an actual product bug, but instead a glitch in the way the Domino package
    is configured by end users. Because of the glitch, any Web user could
    write to and exploit remote server drives and change server configuration
    files, according to L0pht. The design flaw again gave unauthorized users
    unrestricted access to default Domino databases. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:58 PDT