Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: L0pht 'Domino' Vulnerability is alive and well

From: weld () L0PHT COM (Weld Pond)
Date: Tue, 6 Jul 1999 08:09:17 -0500

On Mon, 5 Jul 1999, Aleph One wrote:


http://www.l0pht.com/advisories/domino3.txt

It seems nine months after L0pht posted their advisory on file view
problems in Lotus Notes, the problem is alive and well.


The issues concerning incorrect Notes ACLs and using

www.server.com/database.nsf?Open

to access databases anonymously when ACLs
are incorrect were first raised in an earlier L0pht Advisory:

http://www.l0pht.com/advisories/domino2.txt

This advisory from 1/98 goes into better detail than the domino3.txt
advisory about the improper ACL problem giving anonymous users access to
Notes databases. Improper ACLs have been a staple of Notes web deployments
since we wrote our first Notes advisory back in 1996! No matter how many
advisories are written the problem doesn't seem to go away.

I haven't had a chance to look at Notes R5 yet but I hope Lotus has taken
some of our earlier suggestions. One was improving the default ACLs and
their inheritance from templates.  Another was simplifying the UI for
checking that all the databases on a server have the proper ACLs
restricting anonymous access. These improvements will go a long way
towards solving this problem.

-weld
Previous By Date Next
Previous By Thread Next

Current thread: