Re: Script for find domino's users

From: Simon Delicata (sdelicataat_private)
Date: Thu Jan 31 2002 - 12:03:10 PST

Next message: Mandrake Linux Security Team: "MDKSA-2002:011 - gzip update"

Previous message: palanteat_private: "msdtc on 3372"
Maybe in reply to: Gabriel A. Maggiotti: "Script for find domino's users"
Next in thread: Chad Loder: "Re: Script for find domino's users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This isn't a proof of concept, but more a probe for misconfigured database
ACL's.

If a Domino web server doesn't have a redirection URL for /mail/* mail
files, then you rely on the access control for each mail file.

Two things can be done to avoid this :

1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
      Anonymous - No access
      [Default] - No access

2 - Within the Server Document for each server, ensure that "Allow HTTP
clients to browse databases:" is set to "No"

I believe that all versions of Domino server from 4.5 upwards are
suceptible to badly configured ACL's. Any good administrator would have a
hold of this already.



#!/usr/local/bin/php -q
<?

<snip>

</snip>

fclose ($fd);

?>

Next message: Mandrake Linux Security Team: "MDKSA-2002:011 - gzip update"
Previous message: palanteat_private: "msdtc on 3372"
Maybe in reply to: Gabriel A. Maggiotti: "Script for find domino's users"
Next in thread: Chad Loder: "Re: Script for find domino's users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 14:30:41 PST