[IWAR] INTERNET/INFOWAR Domino vulnerable

From: 7Pillars Partners (partnersat_private)
Date: Wed Jan 21 1998 - 16:38:01 PST

  • Next message: 7Pillars Partners: "[IWAR] ISRAEL poll on limiting Arab rights"

    Note that this includes sites like that for the Nagano Olympics, soon to be
    high profile. --MW
    
    Wednesday January 21 12:37 PM EST 
       
    Security problem may open Lotus site to hackers
    
       By Michael Stutz
       
       SAN FRANCISCO (Wired) - A security vulnerability could allow pranksters
       to wreak havoc with sites that serve Web pages from all versions of the
       Lotus Domino Web server.
       
       The Domino product is designed to securely open up Lotus Notes databases
       to the Web by making them accessible via HTTP (hypertext transfer
       protocol), either over the Web or across private intranets.
       
       The vulnerability, made public Tuesday by the Boston-based L0pht hacker
       collective, is not an actual bug in the Domino product, but rather a
       problem in the way it might be initially configured by a Domino
       webmaster.
       
       "The server's doing what it's designed to do," said Mark Watson, vice
       president at Binary Tree Inc., a Domino consulting company.
       
       The crack easily exploits a misconfigured Domino site. By appending
       domcfg.nsf/?open to the base URL of a target site -- say,
       http://www.foobar.com/ -- one could easily determine whether or not that
       site's database configurations can be edited by outside users. If after
       trying this a user is not prompted for a password, those files are
       likely to be readable and -- at worst -- writable.
       
       Armed with such access, a cracker could easily redirect the entire Web
       site to any other domain of his or her choosing, simply by filling out a
       friendly, easy-to-use form.
       
       "You can do basically anything you want," said L0pht member Matt W., who
       discovered the exploit, "You can read and write to their databases, as
       well as delete (them)." He further said that while Lotus has not yet
       contacted him about the vulnerability, he knows that many Domino-powered
       Web sites are at risk.
       
       Embarrassingly, Lotus' own Domino Merchant Server Web site is among
       them.
       
       "I like the Domino Merchant site," said one hacker who requested
       anonymity, "Because their whole selling point is rock-solid security --
       yet anyone with a browser can take their site offline by redirecting it
       to www.microsoft.com," the source said.
       
       Past experience shows that when the L0pht talks, vendors listen.
       According to security mailing list reports, Lotus responded quickly to a
       previous Domino exploit discovered by the L0pht in December 1996.
       
       With respect to this latest problem, a Lotus official said the company
       was on the case.
       
       "Our engineers are investigating the problem to determine the
       appropriate solution," the spokesperson said. "Until they complete that,
       we don't have any comment about the issues at this time."
       
       "It's probably something that Lotus should address on their Web site,"
       said Binary Tree's Watson, who said he was familiar with the exploit and
       that many of the hundreds of Domino-powered sites were at risk.
       
       The hole can be exploited in curious ways. At one vulnerable site, NBC
       Sports, a cracker could view the list of names for all customers who
       registered for the site's sweepstakes.
       
       Watson said he was surprised it took the L0pht group this long to
       discover the problem.
       
       "We've started fiddling with this since October or November of last
       year," Watson said. Ironically, though, even Watson's binarytree.com was
       affected by the vulnerability. Watson said that this would be
       immediately addressed, and that in general a Domino administrator could
       make five or ten minutes' worth of changes to patch a vulnerable site.
       
       But because of the nature of the exploit, Matt W. was skeptical. "They
       can fix it now, but the problem will be keeping it always fixed," he
       said.
       
       Matt W. said that there are three prongs to Domino's security makeup
       which lead to this vulnerability -- all of which stem from the mechanism
       used for setting the server's security permissions, called the Access
       Control Lists, or ACLs.
       
       Domino's ACL defaults allow any Web user to have read and write access
       to the database. Further, databases do not correctly inherit the ACLs of
       the templates used to create them.
       
       Finally, there is currently no way to verify the security of the server
       configuration databases other than manually verifying the ACLs of each
       and every database. The problem escalates, Matt W. said, with large
       sites that have hundreds of servers and thousands of databases to check
       and keep current.
       
       All versions of Lotus Domino are affected. Databases created from a
       template using the current Domino release - 4.6a - allows them only to
       be read, but that is still considered to be a security breach.
       
       (Reuters/Wired)
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:00 PDT