domino3.txt

1999-08-17T00:00:00
ID PACKETSTORM:15140
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            ` L0pht Security Advisory  
-------------  
  
URL Origin: http://www.l0pht.com/advisories.html   
Release Date: October 9th, 1998   
Application: Lotus Domino   
Severity: Web users can retrieve sensitive data in many Domino   
based Internet applications   
Author: nardo@l0pht.com   
Operating Sys: All platforms   
  
-------------  
  
  
I. Description  
  
The L0pht has received reports regarding a vulnerability in some  
implementations of Domino based applications which result in the internet  
publication of sensitive information belonging to customers of Lotus/IBM  
and their business partners. This information is widely available to  
anyone with a web browser and includes such things as credit card numbers,  
addresses, phone numbers, etc. The information about this vulnerability  
has been posted to various public mailing lists and newsgroups.   
  
The vulnerability affects websites created by Lotus Business Partners who  
provide training services and accept credit card numbers via the web;   
however, in theory the vulnerabilities could extend to any e-Commerce  
site. Several Lotus' Business Partners were confirmed to be affected by  
this.   
  
This advisory does not attempt to place blame on the software vendor or on  
the application developers. Many will see this as a flaw in the design or  
documentation of the product and many will see this as ignorance on the  
part of the web site builders. This advisory is designed to alert  
consumers that they should be wary on putting sensitive information into  
internet web applications. The consumer has no way of knowing if the web  
application has been designed to correctly protect that data from  
anonymous internet access.   
  
II. Details  
  
Web users can navigate to the portion of the site used for processing  
registration and/or payment information and remove everything to the right  
of the database name in the URL (the databases typically end in .nsf.) In  
one example of this vulnerability, all the database views were then  
exposed which included a view containing previous registrations and a view  
containing "All Documents". These views could then be accessed by  
clicking on the link and browsing the data within the view (typically  
consisting of business and customer names, addresses, phone numbers, and  
payment information.)   
  
In another example, the views were protected from direct browsing, but  
could still be searched using the standard URL format for searches in  
Domino. This particular method would then allow the database to be  
searched for everyone who paid with a specific credit card or everyone who  
lives within a certain city.   
  
II a. To Test  
  
Navigate through a Domino site, and once a database has been accessed,  
remove the information after the .nsf or after the first set of numbers  
following the server portion of the URL and replace it with "?Open". If  
you are then presented with a list of views, your site is potentially  
vulnerable to having anonymous users access the information contained  
within the views listed. Lotus recommends blocking this access through a  
$$ViewTemplateDefault. If this technique is used, the second  
vulnerability comes into play, which is to access the view by using the  
following URL format:   
"http://www.server.com/database.nsf/viewname?SearchView&Query="*" ". This  
technique will bypass the $$ViewTemplateDefault if the database is  
full-text indexed. Many full text indexed sites were found vulnerable to  
this "feature" that their developers didn't plan for.  
  
III. Solution  
  
The sites affected could have been protected using reader and author names  
fields to prevent unauthorized access to their client's sensitive data.   
The internal registration views could've been hidden from anonymous users.   
They should've included a $$SearchTemplateDefault with no $$ViewBody field  
to block any unwelcome searching. Additionally, every Domino site should  
disallow anonymous access for at least these databases: names.nsf;   
catalog.nsf; log.nsf; domlog.nsf; domcfg.nsf.   
  
For specific questions about this advisory, please contact nardo@l0pht.com  
  
  
  
---------------  
For more L0pht (that's L - zero - P - H - T) advisories check out:  
http://www.l0pht.com/advisories.html  
---------------  
`