Bugtraq mailing list archives

Lotus Domino application vulnerability

From: weld () L0PHT COM (Weld Pond)
Date: Thu, 8 Oct 1998 22:32:38 -0500


L0pht Security Advisory
-------------

URL Origin:    http://www.l0pht.com/advisories.html
Release Date:  October  9th, 1998
Application:   Lotus Domino
Severity:      Web users can retrieve sensitive data in many Domino
               based Internet applications
Author:        nardo () l0pht com
Operating Sys: All platforms

-------------


I. Description

The L0pht has received reports regarding a vulnerability in some
implementations of Domino based applications which result in the internet
publication of sensitive information belonging to customers of Lotus/IBM
and their business partners.  This information is widely available to
anyone with a web browser and includes such things as credit card numbers,
addresses, phone numbers, etc.  The information about this vulnerability
has been posted to various public mailing lists and newsgroups.

The vulnerability affects websites created by Lotus Business Partners who
provide training services and accept credit card numbers via the web;
however, in theory the vulnerabilities could extend to any e-Commerce
site.  Several Lotus' Business Partners were confirmed to be affected by
this.

This advisory does not attempt to place blame on the software vendor or on
the application developers.  Many will see this as a flaw in the design or
documentation of the product and many will see this as ignorance on the
part of the web site builders. This advisory is designed to alert
consumers that they should be wary on putting sensitive information into
internet web applications.  The consumer has no way of knowing if the web
application has been designed to correctly protect that data from
anonymous internet access.

II. Details

Web users can navigate to the portion of the site used for processing
registration and/or payment information and remove everything to the right
of the database name in the URL (the databases typically end in .nsf.) In
one example of this vulnerability, all the database views were then
exposed which included a view containing previous registrations and a view
containing "All Documents".  These views could then be accessed by
clicking on the link and browsing the data within the view (typically
consisting of business and customer names, addresses, phone numbers, and
payment information.)

In another example, the views were protected from direct browsing, but
could still be searched using the standard URL format for searches in
Domino.  This particular method would then allow the database to be
searched for everyone who paid with a specific credit card or everyone who
lives within a certain city.

II a.  To Test

Navigate through a Domino site, and once a database has been accessed,
remove the information after the .nsf or after the first set of numbers
following the server portion of the URL and replace it with "?Open".  If
you are then presented with a list of views, your site is potentially
vulnerable to having anonymous users access the information contained
within the views listed.  Lotus recommends blocking this access through a
$$ViewTemplateDefault.  If this technique is used, the second
vulnerability comes into play, which is to access the view by using the
following URL format:

http://www.server.com/database.nsf/viewname?SearchView&Query="*";

This technique will bypass the $$ViewTemplateDefault if the database is
full-text indexed.  Many full text indexed sites were found vulnerable to
this "feature" that their developers didn't plan for.

III. Solution

The sites affected could have been protected using reader and author names
fields to prevent unauthorized access to their client's sensitive data.
The internal registration views could've been hidden from anonymous users.
They should've included a $$SearchTemplateDefault with no $$ViewBody field
to block any unwelcome searching.  Additionally, every Domino site should
disallow anonymous access for at least these databases:  names.nsf;
catalog.nsf; log.nsf; domlog.nsf; domcfg.nsf.

For specific questions about this advisory, please contact nardo () l0pht com



---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------

Current thread:

By-passing MS Proxy 2.0 and others packet filtering Mnemonix (Oct 08)
- Lotus Domino application vulnerability Weld Pond (Oct 08)
- Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Jean-Christophe Touvet (Oct 08)
  - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Gus (Oct 13)
  - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Peter van Dijk (Oct 13)
    - Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering Kevin Way (Oct 14)
    - Secure Locate v1.2 klindsay (Oct 14)
- Re: By-passing MS Proxy 2.0 and others packet filtering Marc D. Behr (Oct 09)
- DoS attack in MS - Proxy 2.0 Mnemonix (Oct 09)