This information was forwarded to Security Focus by someone that requested to be anonymous. http://www.l0pht.com/advisories/domino3.txt It seems nine months after L0pht posted their advisory on file view problems in Lotus Notes, the problem is alive and well. So well in fact that doing a simple query via a search engine found dozens of *very* high profile web servers open. Everything from Military sites, political parties, police departments and even software vendors. This is a follow-up to the Advisory published by the L0pht in October 1998. Data that can be accessed by unauthorized users may include: usernames, server names and IP addresses, dial-up server phone numbers, administration logs, files names, and data files (including credit card information, proprietary corporate data, and other information stored in eCommerce related databases.) In some instances, it may be possible for an unauthorized user to modify these files or perform server administration functions via the web administration interface. The directory browsing "feature" is invoked when a user appends "?open" to a Domino URL. ex. http://www.example.com/?open. If the server is vulnerable, it will display the contents of the webroot directory. In situations where multiple web sites are hosted on the same server, the unauthenticated user may be able to view data from any of these virtual servers. This configuration weakness can be corrected by disabling database browsing. The Lotus documentation suggests: 1. From the Domino Administrator, click the Configuration tab, and open the Server document. 2. Click the Internet Protocols - HTTP tab. 3. In the "Allow HTTP clients to browse databases" field, choose No. 4. Save the document. The database access issue is caused by improper ACLs over sensitive .nsf files on the Domino server. For example, an unauthorized user may attempt to access the Name and Address Book by appending the database name to the Domino Server URL- http://example.com/names.nsf (this syntax invokes an explicit ?open command). User created databases containing any variety of public or non-public information may be read if proper ACLs are not placed on these files. The following system files are potentially vulnerable: admin4.nsf, webadmin.nsf, certlog.nsf, log.nsf, names.nsf, catalog.nsf, domcfg.nsf, and domlog.nsf. These files contain a wealth of information that may allow an unauthorized user to penetrate additional hosts and or networks. In some instances, these files may be modified by the attacker to change the intended behavior of the web site. One particular example, cited by the L0pht in a January 1998 Advisory, demonstrates the ability to completely redirect all traffic destined for the vulnerable web site to a third party "evil" web site. To remedy this problem, it is suggested that each site running Domino web servers verify that proper ACLs have been placed on both custom and system related .nsf files. These recommendations should be considered not only for Internet connected Domino servers, but also for corporate Intranet servers. -- Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:42 PDT