Bugtraq mailing list archives

Re: Script for find domino's users

From: Chad Loder <chad () rapid7 com>
Date: Thu, 31 Jan 2002 16:56:36 -0800

You should also turn off "Read Public Documents" and "Write Public
Documents" because these settings apply even when the ACL is
otherwise set to No Access.

In addition, the posted script will give false positives on
many Domino servers on which requests for sensitive databases
will automatically redirect to the Login page (with a "200 OK"
HTTP message).

There are literally hundreds of default databases installed
not only with the base Domino server but also with typical
add-on features like DOLS, SameTime, QuickPlace, and LEI. Many
of these have poor default ACLs.

Allow me to give a blatant plug for NeXpose, Rapid 7's security
scanning tool. It scans for over 170 Domino vulnerabilities
(including the misconfigured ACLs of the databases I mentioned,
buffer overflows, cross site scripting, etc.).

NeXpose also has a nice feature of automatically pulling all
the usernames and HTTP password hashes (in many cases) out of
the server's NAB, if it has the default ACLs.

You can download it from http://www.rapid7.com

Also, you'll want to get the Falling Dominos presentation that
Kevin McPeake and Chris Coggins have been giving at DEFCon.
Do a Google search for Falling Dominos and you should be able
to find it archived somewhere.

        Chad Loder
        Rapid 7, Inc.

At Thursday 1/31/2002 08:03 PM +0000, you wrote:

This isn't a proof of concept, but more a probe for misconfigured database
ACL's.

If a Domino web server doesn't have a redirection URL for /mail/* mail
files, then you rely on the access control for each mail file.

Two things can be done to avoid this :

1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to :
      Anonymous - No access
      [Default] - No access

2 - Within the Server Document for each server, ensure that "Allow HTTP
clients to browse databases:" is set to "No"

I believe that all versions of Domino server from 4.5 upwards are
suceptible to badly configured ACL's. Any good administrator would have a
hold of this already.



#!/usr/local/bin/php -q
<?

<snip>

</snip>

fclose ($fd);

?>


______________________________________
Chad Loder <chad () rapid7 com>
Principal Engineer
Rapid 7, Inc. <http://www.rapid7.com>

Current thread:

Re: Script for find domino's users Chad Loder (Jan 31)
- <Possible follow-ups>
- Re: Script for find domino's users nicob (Feb 03)
  - Re: Script for find domino's users David Litchfield (Feb 04)
- RE: Script for find domino's users Jay D. Thomson (Feb 10)