[10961] in bugtraq
Re: L0pht 'Domino' Vulnerability is alive and well
daemon@ATHENA.MIT.EDU (Weld Pond)
Wed Jul 7 00:04:22 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.9907060808580.7836-100000@l0pht.com>
Date: Tue, 6 Jul 1999 08:09:17 -0500
Reply-To: Weld Pond <weld@L0PHT.COM>
From: Weld Pond <weld@L0PHT.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
On Mon, 5 Jul 1999, Aleph One wrote:
> http://www.l0pht.com/advisories/domino3.txt
>
> It seems nine months after L0pht posted their advisory on file view
> problems in Lotus Notes, the problem is alive and well.
The issues concerning incorrect Notes ACLs and using
www.server.com/database.nsf?Open
to access databases anonymously when ACLs
are incorrect were first raised in an earlier L0pht Advisory:
http://www.l0pht.com/advisories/domino2.txt
This advisory from 1/98 goes into better detail than the domino3.txt
advisory about the improper ACL problem giving anonymous users access to
Notes databases. Improper ACLs have been a staple of Notes web deployments
since we wrote our first Notes advisory back in 1996! No matter how many
advisories are written the problem doesn't seem to go away.
I haven't had a chance to look at Notes R5 yet but I hope Lotus has taken
some of our earlier suggestions. One was improving the default ACLs and
their inheritance from templates. Another was simplifying the UI for
checking that all the databases on a server have the proper ACLs
restricting anonymous access. These improvements will go a long way
towards solving this problem.
-weld
