Bugtraq mailing list archives
Black Watch Labs Vulnerability Alert
From: blackwatchlabs () PERFECTOTECH COM (Black Watch Labs)
Date: Fri, 19 May 2000 19:01:13 -0700
Dear Security Professional, The following vulnerability: "Lotus Domino Server Misconfiguration Documents Can Be Modified over the Web" is in the text of the message below and has just been posted to the Black Watch Labs Web site at http://www.perfectotech.com/blackwatchlabs/ Thank you, Black Watch Labs If you wish to unsubscribe to this Black Watch Labs email update, please click on reply and type the word "Unsubscribe" in the subject line. -------------------------------------------------------------------------------------------------------------------- Name: Web Applications Should Not Assume That Lotus Domino Enforces Login When a Privileged Access Is Required Black Watch Labs ID: BWL-00-08 Date Released: May 19th, 2000 Products affected: Web Applications residing on top of Lotus Domino server. Number of affected sites: A short survey conducted revealed 2 vulnerable sites (out of less than 40 surveyed) vulnerable. It is thus estimated that about 5% of Lotus powered sites are vulnerable. Category: HTML: Application Logic Summary: Lotus Domino provides an elaborate and rich Access Control Lists (ACLs) that control the access of objects, e.g. web pages. Some applications, however, do not employ ACLs properly, and rely on a successful user log-in procedure as the only security measure for protection against illegal access. Such mechanism can be easily bypassed, and the web pages can be viewed by an unprivileged user. Analysis: Suppose that the application has page A (which should be world readable), with a link to page B, which should be readable only to privileged users. Also suppose that this application is not properly configured, that is, both A and B are viewable to the anonymous web user (with respect to their ACLs). Finally, the link from A to B is such that it pops-up a log-in window (this is done by appending a &login to the link). The application seems to require a valid log-in before accessing the privileged page B, and indeed, failure to provide a valid log-in results in an error-page, rather than page B. However, it the attacker inspects the link from A to B, and manually removes the &login, and then requests this link (i.e. attempts to access page B), then this attackers request is granted, and page B is presented to him/her. It should be stressed that the attacker did not bypass the ACL mechanism provided by Lotus Domino. The problem here is that the application falsely assumed that the login phase is mandatory for accessing page B, although page Bs ACL allows all possible users to view it; where in fact, the &login parameter cannot force the user to actually undergo the login phase, and Lotus Domino does not enforce going through a login phase in order to get the next page. Vendor Patch/Workaround: No patch or workaround available at the time of this release. Response from Lotus: The problem described on the defect report is not a Domino issue. As stated above both pages (A+B) are allowing anonymous access in the ACL. Therefore if a user bypasses the Login prompt (as described) then the user will be granted whatever access is set in the ACL. A properly configured ACL is *KEY* to Domino's security. This is NOT a Domino code defect - the product is working as designed. References and Links: Lotus: http://www.lotus.com/ Lotus Domino page: http://www.lotus.com/home.nsf/welcome/domino Note about our process of contacting the vendor: We always contact the vendor and give them a few weeks to respond. Some of them choose to fix it (see DBMan advisory for example), and some of them don't. However, when the advisory gets published frequently the vendor will fix it. So, overall the advisories not only educate security professionals on the problem, they also encourage vendors to fix the holes. About Black Watch Labs (www.perfectotech.com/blackwatchlabs/) Black Watch Labs is a research group operated by Perfecto Technologies Inc., leader in Web application security management. Black Watch Labs was established in order to further the knowledge of the Internet community in the arena of Web application security management. Black Watch Labs publishes security advisories regularly, which are maintained at http://www.perfectotech.com/blackwatchlabs/, and are also posted to relevant security lists and websites. Black Watch Labs also operates a Web application security mailing list, which can be subscribed to at http://www.perfectotech.com/blackwatchlabs/. For more info about Black Watch Labs and Web Application Security Management, please call (408) 855-9500 or email BlackWatchLabs () perfectotech com About Perfecto Technologies (www.perfectotech.com) Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web Application Security Management software. AppShield, Perfecto Technologies flagship product offering, is the first to provide extreme security for customer-facing applications in dynamic Web site environments. Perfecto Technologies has customers in many sectors including, banking, etailing, finance, government, and healthcare. Privately held, Perfecto Technologies is funded by blue-chip venture capital firms and industry leaders, including Sequoia Capital, Walden, and Intel Corporation. More information about Perfecto Technologies may be obtained by visiting the Companys Website at www.perfectotech.com or by calling the Company directly at (408) 855-9500. Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved. Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirety, provided the information, this notice and all other Perfecto Technologies marks remain intact. Specific Limitations on Use of the Black Watch Labs Advisories THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND OTHER COUNTRIES. NO WARRANTY Any material furnished by Perfecto Technologies is furnished on an as is basis and may change without notice. Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent, trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Current thread:
- Re: Fwd: [nohack] Yet another way to disguise files. Dan Harkless (May 17)
- Re: Fwd: [nohack] Yet another way to disguise files. Larry Olin Horn (May 18)
- Nasty XFree Xserver DoS Chris Evans (May 18)
- MetaProducts Offline Explorer Directory Traversal Vulnerability Servio Medina (May 22)
- Vulnerability in infosrch.cgi SGI Security Coordinator (May 22)
- Re: Nasty XFree Xserver DoS Weston Pawlowski (May 22)
- <Possible follow-ups>
- Re: Fwd: [nohack] Yet another way to disguise files. Dan Harkless (May 18)
- [RHSA-2000:028-02] Netscape 4.73 available bugzilla () REDHAT COM (May 19)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 19)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 19)
- Re: Fwd: [nohack] Yet another way to disguise files. mock () ACTIVESTATE COM (May 19)