From nisr@nextgenss.com Tue Oct 30 22:04:20 2001 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com Date: Wed, 31 Oct 2001 02:40:36 -0000 Subject: Lotus Domino Default Navigator Protection By-pass (#NISR29102001B) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: Lotus Domino Default Navigator Protection By-pass Systems Affected: Lotus Domino Web Server 5.x on all operating systems Severity: Low Vendor URL: http://www.lotus.com/ Author: David Litchfield (david@nextgenss.com) Date: 29th October 2001 Advisory number: #NISR29102001B Description *********** Lotus Domino is an Application server designed to aid workgroups and collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web services that allow users to interact with Lotus Notes databases. A Lotus Notes databases designer can create a navigator that allows a user to navigate the database for documents and each database comes with a default navigator called $defaultNav. This default navigator exposes a list of visible views to the user. If a web user was to access the default navigator over the web this may pose a mild security risk and as such a work around was created to prevent this. This work around is to create a URL to Redirection mapping so that if anyone were to make a request for the the default navigator they would be redirected elsewhere. NSIR have found that the current advice is wanting and is trivial to bypass and therefore the default navigator can still be accessed. Details ******* The current advice dictates that a URL to Redirection Mapping be created such that any requests for */*.nsf/$defaultNav* are redirected. This is lacking in two ways. Firstly, if a user makes a request using the database's ReplicaID the pattern matching is broken and access to the default navigator is gained. Secondly if any of the characters are URL encoded, i.e. the characters are changed from their ASCII to hex equivalent, then again access to the default navigator is granted as the pattern matching is broken. This happens because Domino web server does not decode the request before deciding whether the request should be redirected or not. Fix Information *************** Firstly, it must be noted that ensuring the database objects are secure with access control lists is far more preferable to relying on security through obscurity, which essentially the workaround to prevent access to the default navigator is. However, some administrators may still wish to prevent this so NISR suggest taking the following steps: A Domino administrator needs to create a URL redirection mapping for every possibility and when you consider /$%44efaultNav works just as well as /$%64efaultNav you have to take into case sensitivity. Due to this it would be far too impracticle to have a mapping for every variant. It is suggested therefore that only the first two characters be taken into consideration - $d. This way only 8 mappings need to be created: */%24D* */%24d* */%24%64* */%24%44* */$d* */$D* */$%64* */$%44* To create a URL -> Redirection mapping: Open the servers view and then click on the Actions menu bar item then select Web -> Create a URL Mapping/Redirection. This will open up the Mapping/Redirection form. On the Basics tab you want to set up a "Url -> Redirection" action. If the server in question is a virtual server from the site information tab enter its IP address and optionally a comment. In the mapping tab enter in the "Incoming URL path" edit box enter one of the eight listed above. In the "Redirection URL string" edit box enter a url where you'd have the person redirected to - for example the homepage. You need not enter anything in the "Administration" tab. Once all 8 have been added save and close the document and issue from the Domino console the command "tell http restart" for the changes to take effect. Note that if you substitute the leading slash with %2F or %5C the redirection mapping still works: http://server/foo.nsf%2f$defaultNav produces a 500 Unable to process request response, where as http://server/foo.nsf%5C$defaultNav performs the redirection. NextGenSS Insight Security Research have also tested variants of double URL encoding and UTF-8 encoding and these seem not to work - i.e. an attacker cannot get access to the default Navigator. If you have a normal database view which starts with the characters "$d" then this fix will prevent access to this view from over the web as any request that contains with "/$d" will be redirected. To work around this you could set up an alias for this view. Reiterating, if access control lists are set properly on the database and its objects then even if someone were able to access the default navigator then the risk posed is greatly minimized. Lotus were informed about this and they agreed that relying on security through obscurity measures was inadequate and the best way to ensure security of a Domino application was through the use of proper access control lists. A check for this issue already exists in DominoScan, NGSSoftware's Lotus Domino application security scanner, of which, more information is available from http://www.nextgenss.com/dominoscan.html . NISR have also written a white paper on how to secure Lotus Domino's web server available from http://www.nextgenss.com/papers.html -----------------------------------------------------