Note that this includes sites like that for the Nagano Olympics, soon to be high profile. --MW Wednesday January 21 12:37 PM EST Security problem may open Lotus site to hackers By Michael Stutz SAN FRANCISCO (Wired) - A security vulnerability could allow pranksters to wreak havoc with sites that serve Web pages from all versions of the Lotus Domino Web server. The Domino product is designed to securely open up Lotus Notes databases to the Web by making them accessible via HTTP (hypertext transfer protocol), either over the Web or across private intranets. The vulnerability, made public Tuesday by the Boston-based L0pht hacker collective, is not an actual bug in the Domino product, but rather a problem in the way it might be initially configured by a Domino webmaster. "The server's doing what it's designed to do," said Mark Watson, vice president at Binary Tree Inc., a Domino consulting company. The crack easily exploits a misconfigured Domino site. By appending domcfg.nsf/?open to the base URL of a target site -- say, http://www.foobar.com/ -- one could easily determine whether or not that site's database configurations can be edited by outside users. If after trying this a user is not prompted for a password, those files are likely to be readable and -- at worst -- writable. Armed with such access, a cracker could easily redirect the entire Web site to any other domain of his or her choosing, simply by filling out a friendly, easy-to-use form. "You can do basically anything you want," said L0pht member Matt W., who discovered the exploit, "You can read and write to their databases, as well as delete (them)." He further said that while Lotus has not yet contacted him about the vulnerability, he knows that many Domino-powered Web sites are at risk. Embarrassingly, Lotus' own Domino Merchant Server Web site is among them. "I like the Domino Merchant site," said one hacker who requested anonymity, "Because their whole selling point is rock-solid security -- yet anyone with a browser can take their site offline by redirecting it to www.microsoft.com," the source said. Past experience shows that when the L0pht talks, vendors listen. According to security mailing list reports, Lotus responded quickly to a previous Domino exploit discovered by the L0pht in December 1996. With respect to this latest problem, a Lotus official said the company was on the case. "Our engineers are investigating the problem to determine the appropriate solution," the spokesperson said. "Until they complete that, we don't have any comment about the issues at this time." "It's probably something that Lotus should address on their Web site," said Binary Tree's Watson, who said he was familiar with the exploit and that many of the hundreds of Domino-powered sites were at risk. The hole can be exploited in curious ways. At one vulnerable site, NBC Sports, a cracker could view the list of names for all customers who registered for the site's sweepstakes. Watson said he was surprised it took the L0pht group this long to discover the problem. "We've started fiddling with this since October or November of last year," Watson said. Ironically, though, even Watson's binarytree.com was affected by the vulnerability. Watson said that this would be immediately addressed, and that in general a Domino administrator could make five or ten minutes' worth of changes to patch a vulnerable site. But because of the nature of the exploit, Matt W. was skeptical. "They can fix it now, but the problem will be keeping it always fixed," he said. Matt W. said that there are three prongs to Domino's security makeup which lead to this vulnerability -- all of which stem from the mechanism used for setting the server's security permissions, called the Access Control Lists, or ACLs. Domino's ACL defaults allow any Web user to have read and write access to the database. Further, databases do not correctly inherit the ACLs of the templates used to create them. Finally, there is currently no way to verify the security of the server configuration databases other than manually verifying the ACLs of each and every database. The problem escalates, Matt W. said, with large sites that have hundreds of servers and thousands of databases to check and keep current. All versions of Lotus Domino are affected. Databases created from a template using the current Domino release - 4.6a - allows them only to be read, but that is still considered to be a security breach. (Reuters/Wired)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:00 PDT