Re: Lotus Domino View ACL by-pass (#NISR29102001C)

["Bas Welman" <Bas_Welman () kelly nl>]

To respond on this issue:

There are diffent types of security within Domino applications:

-  First of all you have the Database ACL which take care of the
accessrights of the complete database.
   This one is the most important one since this one defines who can access
the database and on which level,
   and who cannot access at all.

- Secondly you can protect the diffent design elements like views and
forms,  which are required to view the data
   in the database. The only thing you protect is the ability of a user to
use these design elements to view data, not the data itself.

- Last one is the protection of the actual data which is stored in
documents. These documents can be protected
   by using reader and author fields.

There are a view more ways to protect data, but these three are the most
used ones.

The conclusion you can make is that the only way to actually protect your
data is to define your database ACL correctly
and make use of reader and author fields to define who can view and edit
the different documents. All other security
options are only procecting the different design element and not the actual
data.

Always keep this in mind while designing applications on the Lotus Domino
platform!


Bas Welman & Willem Jan Allaart
IT Development
Kelly Services International






NGSSoftware Insight Security Research Advisory

Name:    Lotus Domino View ACL by-pass
Systems Affected:  Lotus Domino Web Server 5.x on all operating systems
Severity:  Possibly high
Vendor URL:   http://www.lotus.com/
Author:   David Litchfield (david () nextgenss com)
Date:   29th October 2001
Advisory number: #NISR29102001C


Description
***********
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web
services
that allow users to interact with Lotus Notes databases.

A Lotus Notes database contains documents which are organized into views.
Access control lists can be applied to the database itself, views and
documents. If a user has been denied access to a view, NISR have discovered
that it is possible to by-pass the permissions set on that view and access
the documents one would expect it to protect.



Details
*******
The reason this vulnerability exists is because even though a document
might
exist in one view it can be accessed from any view, that is all documents
in
a Lotus Notes database can be access from any view.

As an example of this examine the Statistics Reporting database,
statrep.nsf.

If you open the Events view:

http://server/statrep.nsf/136/?OpenView

some documents will exist. (136 is the NoteID of the Events view)

If you open the hidden $Alarms view

http://server/statrep.nsf/$alarms/?OpenView

no documents exist.

Request one of the documents from the Events view

http://server/statrep.nsf/136/8F6?OpenDocument

(8F6 is the NoteID of the first document)

Note the text of this document and then request

http://server/statrep.nsf/$alarms/8F6?OpenDocument

The same document is returned, even though $alarms has no documents.

Now,if you apply access controls on the Events view and request

http://server/statrep.nsf/136/8F6?OpenDocument

the server will return an Illegal Argument exeception error. This is
due to the fact that the server expects credentials.

However, requesting

http://server/statrep.nsf/$alarms/8F6?OpenDocument

still returns the document even though access to the view the
document exists in disallowed.


The reason we can request any document through any view is due to the fact
that a NoteID is simply a pointer to a location in the database file and as
long as the server receives its expected syntax, i.e. database, view then
document it will service the request. By making a request with a NoteID
we're simply forcing the server to return the contents of an arbitrary
location within the file.



Fix Information
***************
The solution to this problem is to ensure that,if you are applying ACLs to
a
view, the documents in that view are also protected.

Lotus were informed about this issue and their response was that applying
ACLs to a view protected only the view and not the documents themselves and
that they, too, should have access control lists applied.

NISR consider that the difference between expected and actual behaviour is
considerable enough that many Lotus administrators may be caught out by
this
and should ensure that their sensitive documents are indeed protected.


A check for this issue already exists in DominoScan, NGSSoftware's Lotus
Domino application security scanner, of which, more information is
available
from http://www.nextgenss.com/dominoscan.html . NISR have also written a
white paper on how to secure Lotus Domino's web server available from
http://www.nextgenss.com/papers.html

-----------------------------------------------------