From: Aleph One [aleph1@UNDERGROUND.ORG]
Sent: Monday, July 05, 1999 4:34 PM
To: BUGTRAQ@NETSPACE.ORG
Subject: L0pht 'Domino' Vulnerability is alive and well

This information was forwarded to Security Focus by someone
that requested to be anonymous.

http://www.l0pht.com/advisories/domino3.txt

It seems nine months after L0pht posted their advisory on file view
problems in Lotus Notes, the problem is alive and well. So well in fact
that doing a simple query via a search engine found dozens of *very* high
profile web servers open. Everything from Military sites, political
parties, police departments and even software vendors. This is a follow-up
to the Advisory published by the L0pht in October 1998.

Data that can be accessed by unauthorized users may include: usernames,
server names and IP addresses, dial-up server phone numbers,
administration logs, files names, and data files (including credit card
information, proprietary corporate data, and other information stored in
eCommerce related databases.)  In some instances, it may be possible for
an unauthorized user to modify these files or perform server
administration functions via the web administration interface.

The directory browsing "feature" is invoked when a user appends "?open" to
a Domino URL. ex. http://www.example.com/?open.  If the server is
vulnerable, it will display the contents of the webroot directory.  In          situations where multiple web sites are hosted on the same server, the
unauthenticated user may be able to view data from any of these virtual
servers.  This configuration weakness can be corrected by disabling
database browsing.  The Lotus documentation suggests:

1. From the Domino Administrator, click the Configuration tab, and open
   the Server document.
2. Click the Internet Protocols - HTTP tab.
3. In the "Allow HTTP clients to browse databases" field, choose No.
4. Save the document.

The database access issue is caused by improper ACLs over sensitive .nsf
files on the Domino server.  For example, an unauthorized user may attempt
to access the Name and Address Book by appending the database name to the
Domino Server URL- http://example.com/names.nsf (this syntax invokes an
explicit ?open command).  User created databases containing any variety of
public or non-public information may be read if proper ACLs are not placed
on these files.

The following system files are potentially vulnerable: admin4.nsf,
webadmin.nsf, certlog.nsf, log.nsf, names.nsf, catalog.nsf, domcfg.nsf,
and domlog.nsf.  These files contain a wealth of information that may
allow an unauthorized user to penetrate additional hosts and or networks.
In some instances, these files may be modified by the attacker to change
the intended behavior of the web site.  One particular example, cited by
the L0pht in a January 1998 Advisory, demonstrates the ability to
completely redirect all traffic destined for the vulnerable web site to a
third party "evil" web site.

To remedy this problem, it is suggested that each site running Domino web
servers verify that proper ACLs have been placed on both custom and system
related .nsf files. These recommendations should be considered not only
for Internet connected Domino servers, but also for corporate Intranet
servers.

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01