A glitch in Domino?
By Erich Luening
Staff Writer, CNET News.com
October 16, 1998, 12:25 p.m. PT
URL: http://www.news.com/News/Item/0,4,27647,00.html
Bug-busting group L0pht has posted an advisory on its Web site warning
Lotus Domino users and application developers of a glitch which occurs
with some applications based on the Web server and opens up sensitive
information to any user on the Internet.
The Boston, Massachusetts-based company has received reports regarding the
"vulnerability." Those reports say the glitch affects Web sites created by
Lotus Business Partners who provide training services and accept credit
cards over the Web. However, in theory, L0pht said the problem could
extend to any e-commerce site.
Although it has not released an official comment on the advisory, a Lotus
spokesman told CNET News.com that the company is aware of the alleged
glitch and is currently contacting customers to figure out its legitimacy.
It is expected to respond to the advisory soon.
L0pht said it contacted Lotus Business Partners, which confirmed that it
is affected by the problem, but the bug-busting group said it does not
want to "place blame on the software vendor or on the applications
developers.
"The advisory is designed to alert customers that they should be wary of
putting sensitive information into Web applications," LOpht said.
Detailing the problem, L0pht said Web users can navigate to the portion of
the site used for processing registration and payment information and
remove everything to the right of the database name in the URL, typically
ending in .nsf .
In one example, all the database views were exposed which included a view
containing previous registrations and a view containing "All documents."
These views then could be accessed by clicking on the link and browsing
the data within the view, which typically consists of business and
customer names, addresses, phone numbers, and payment information.
The problem may be related to the way in which the application built on
the Domino platform was designed, or just plain ignorance on the part of
the application developer, but because the biggest concern by consumers
using the Web to purchase goods and participate in e-commerce is
protecting sensitive information, the issue warrants attention, L0pht
said.
To test for the vulnerability, L0pht advises users to navigate through a
Domino site, and once a database has been accessed, remove the information
after the .nsf or after the first set of numbers following the server
portion of the URL and replace it with "?Open". If the user is then
presented with a list of views, the site is potentially vulnerable to
allow anonymous users access to the information contained within the views
in that list.
For a temporary solution, the sites affected could have been protected
using reader and author names fields to prevent unauthorized access to
their clients data. The internal registration views could have been hidden
from anonymous users. Additionally, every Domino site should disallow
anonymous access for at least these databases: names.nsf; catalog.nsf;
log.nsf; domlog.nsf; and domcfg.nsf.
For more information L0pht recommends contacting the author of the
advisory via email at nardo@L0pht.com.
In January, L0pht posted another advisory on Domino. The problem was not
an actual product bug, but instead a glitch in the way the Domino package
is configured by end users. Because of the glitch, any Web user could
write to and exploit remote server drives and change server configuration
files, according to L0pht. The design flaw again gave unauthorized users
unrestricted access to default Domino databases.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Fri Oct 16 19:50:20 1998