From weld@L0PHT.COM Sun Oct 11 04:22:18 1998 From: Weld Pond To: BUGTRAQ@netspace.org Date: Thu, 8 Oct 1998 22:32:38 -0500 Subject: Lotus Domino application vulnerability L0pht Security Advisory ------------- URL Origin: http://www.l0pht.com/advisories.html Release Date: October 9th, 1998 Application: Lotus Domino Severity: Web users can retrieve sensitive data in many Domino based Internet applications Author: nardo@l0pht.com Operating Sys: All platforms ------------- I. Description The L0pht has received reports regarding a vulnerability in some implementations of Domino based applications which result in the internet publication of sensitive information belonging to customers of Lotus/IBM and their business partners. This information is widely available to anyone with a web browser and includes such things as credit card numbers, addresses, phone numbers, etc. The information about this vulnerability has been posted to various public mailing lists and newsgroups. The vulnerability affects websites created by Lotus Business Partners who provide training services and accept credit card numbers via the web; however, in theory the vulnerabilities could extend to any e-Commerce site. Several Lotus' Business Partners were confirmed to be affected by this. This advisory does not attempt to place blame on the software vendor or on the application developers. Many will see this as a flaw in the design or documentation of the product and many will see this as ignorance on the part of the web site builders. This advisory is designed to alert consumers that they should be wary on putting sensitive information into internet web applications. The consumer has no way of knowing if the web application has been designed to correctly protect that data from anonymous internet access. II. Details Web users can navigate to the portion of the site used for processing registration and/or payment information and remove everything to the right of the database name in the URL (the databases typically end in .nsf.) In one example of this vulnerability, all the database views were then exposed which included a view containing previous registrations and a view containing "All Documents". These views could then be accessed by clicking on the link and browsing the data within the view (typically consisting of business and customer names, addresses, phone numbers, and payment information.) In another example, the views were protected from direct browsing, but could still be searched using the standard URL format for searches in Domino. This particular method would then allow the database to be searched for everyone who paid with a specific credit card or everyone who lives within a certain city. II a. To Test Navigate through a Domino site, and once a database has been accessed, remove the information after the .nsf or after the first set of numbers following the server portion of the URL and replace it with "?Open". If you are then presented with a list of views, your site is potentially vulnerable to having anonymous users access the information contained within the views listed. Lotus recommends blocking this access through a $$ViewTemplateDefault. If this technique is used, the second vulnerability comes into play, which is to access the view by using the following URL format: http://www.server.com/database.nsf/viewname?SearchView&Query="*" This technique will bypass the $$ViewTemplateDefault if the database is full-text indexed. Many full text indexed sites were found vulnerable to this "feature" that their developers didn't plan for. III. Solution The sites affected could have been protected using reader and author names fields to prevent unauthorized access to their client's sensitive data. The internal registration views could've been hidden from anonymous users. They should've included a $$SearchTemplateDefault with no $$ViewBody field to block any unwelcome searching. Additionally, every Domino site should disallow anonymous access for at least these databases: names.nsf; catalog.nsf; log.nsf; domlog.nsf; domcfg.nsf. For specific questions about this advisory, please contact nardo@l0pht.com --------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html ---------------