Bugtraq mailing list archives
Re: L0pht 'Domino' Vulnerability is alive and well
From: weld () L0PHT COM (Weld Pond)
Date: Tue, 6 Jul 1999 08:09:17 -0500
On Mon, 5 Jul 1999, Aleph One wrote:
http://www.l0pht.com/advisories/domino3.txt It seems nine months after L0pht posted their advisory on file view problems in Lotus Notes, the problem is alive and well.
The issues concerning incorrect Notes ACLs and using www.server.com/database.nsf?Open to access databases anonymously when ACLs are incorrect were first raised in an earlier L0pht Advisory: http://www.l0pht.com/advisories/domino2.txt This advisory from 1/98 goes into better detail than the domino3.txt advisory about the improper ACL problem giving anonymous users access to Notes databases. Improper ACLs have been a staple of Notes web deployments since we wrote our first Notes advisory back in 1996! No matter how many advisories are written the problem doesn't seem to go away. I haven't had a chance to look at Notes R5 yet but I hope Lotus has taken some of our earlier suggestions. One was improving the default ACLs and their inheritance from templates. Another was simplifying the UI for checking that all the databases on a server have the proper ACLs restricting anonymous access. These improvements will go a long way towards solving this problem. -weld
Current thread:
- L0pht 'Domino' Vulnerability is alive and well Aleph One (Jul 05)
- <Possible follow-ups>
- Re: L0pht 'Domino' Vulnerability is alive and well Weld Pond (Jul 06)
- Re: L0pht 'Domino' Vulnerability is alive and well Pavel Ahafonau (Jul 07)
- Re: L0pht 'Domino' Vulnerability is alive and well mtremblay () BAHNSO COM (Jul 08)
- Re: L0pht 'Domino' Vulnerability is alive and well Ryan Thomas Tecco (Jul 09)
- Communicator 4.[56]x, JavaScript used to bypass cookie settings Peter W (Jul 09)
- (no subject) Anonymous (Jul 09)
- Re: your mail Darren Reed (Jul 12)
- Navigator cookie security Oliver Lineham (Jul 09)
- Re: Communicator 4.[56]x, JavaScript used to bypass cookie settings Claudio Telmon (Jul 13)
- Solaris 2.6/7 NTP permissions problem john_smith () RD QMS COM (Jul 14)
- Privacy concerns in interMute John Temples (Jul 16)