domino-notes.txt

``'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'  
L0pht Security Advisory   
URL Origin: http://www.l0pht.com/advisories.html   
Release Date: July 31, 1998 Application: Notes 4.6+ Client  
Operating Sys: Any  
Severity: Users can overwrite/create system files  
Author: nny <[email protected]>  
Patch Status: Lotus has been made aware of this vulnerabilities  
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'  
  
I. Description  
  
The L0pht has received reports regarding a vulnerability in some  
implementations of Lotus Domino via the Notes Client. Information about  
this vulnerability has been posted to various public mailing lists and  
newsgroups.   
  
Versions 4.6+ of the Lotus Notes Client appear to be vulnerable; lower  
version may also be vulnerable but at this time are untested. The  
vulnerability affects companys that use Lotus Notes primarily for  
development purposes or as an Intranet. Also any servers that were  
distributed with the Lotus Notes Client that are not running the HTTPD  
task by default are vulnerable. Note: This assumes Domino servers have  
been patched due to previous advisory.   
  
Additionally, previous vulnerabilities, such as the one presented by  
[email protected] (Web users can write to remote server drives and change  
server configuration files), now come into play once more with the  
addition of the vulnerability in the Notes Client. No new vulnerability  
exists in Lotus Domino that run the HTTP task by default.   
  
II. Impact  
  
Remote intruders can potentially retreive: in development databases,   
confidential company records, etc etc. All of the above can be achieved by  
connecting to a vulnerable Notes Client.  
  
IIa. To Test  
  
From within Lotus Notes 4.6+ Client:  
1. Open any given database  
2. Click Actions -> Preview in Web Browser  
  
This should have launched your designated web browser and connected to  
http://199.99.99.99/database or something similar. Even though you only  
have the Notes Client installed on the machine and not the server, the  
HTTPD task is now running and accepting connections on port 80. Thus  
anyone on the Internet could then do http://199.99.99.99/domcfg.nsf/?open  
or even http://199.99.99.99 (to get a listing of the available  
databases). Subsequently you could open the log and see the database(s)  
the given user was recently accessing or modifying.   
  
From this point you can search around and basically manipulate documents  
that do a wide variety of things. Domino URL commands (which can be used  
to edit, delete, and manipulate files via the web) can be found in all  
documentation as well as at:   
http://www.notes.net/today.nsf/cbb328e5c12843a9852563dc006721c7/ca5230f9baf39fe  
1852564b5005e8419  
  
Note: Once the Notes Client is closed the HTTPD task is also.  
  
III. Solution  
  
ACLs need to be edited manually by a competent admin to be ensured of  
security. Take, for example, if domlog.nsf could be read, that alone is  
a security breech.   
  
Workaround  
Setup routing filters to dissallow access to the http port of  
Notes Client only machines.   
  
--------------------------------------------------------------------------  
  
The authoritative version of this file is at:   
http://www.l0pht.com/advisories.html  
  
  
`