Bugtraq mailing list archives
Re: L0pht 'Domino' Vulnerability is alive and well
From: paully () IBA COM BY (Pavel Ahafonau)
Date: Wed, 7 Jul 1999 18:09:52 +0200
This is a good known problem. So. I'd just like to make some additionals to Lotus Notes/Domino advisory. Usually Domino websites have some automation features. For example, to add news article to webserver you should only create document by "NEWS" form. Then the new article will appear at the news page of webserver. The news page is organized as Lotus Notes/Domino view with design template as special named form. To let anonymous web users access the news page you should set anonymous access level as "Author" for entire Lotus Notes/Domino database. But to prevent creating unnecessary documents by anonymous you should add the field "SaveOptions" with value set to "0" to view template form (ex., "($$ViewTemplate for news.html)" - view design template for view named "news.html" also view template should have alias name like "$$ViewTemplate for news.html"). For the "NEWS" form you should set "Default read access to documents created with this form" for anonymous and "Who can create documents with this form" for only that users, groups or roles who should have this access but not for anonymous. For the view template form "Who can create documents with this form" should contain also anonymous user to let web users access automatically generated with customized design view. This also appliable to custom search forms, feedback forms and others with the same goal (ex., navigator template forms). To allow web users (anonymous) search through database anonymous access level should be set to "Author". And the forms should have field "SaveOptions" with value set to "0". Best regards, Paully A. Ahafonau.
Current thread:
- L0pht 'Domino' Vulnerability is alive and well Aleph One (Jul 05)
- <Possible follow-ups>
- Re: L0pht 'Domino' Vulnerability is alive and well Weld Pond (Jul 06)
- Re: L0pht 'Domino' Vulnerability is alive and well Pavel Ahafonau (Jul 07)
- Re: L0pht 'Domino' Vulnerability is alive and well mtremblay () BAHNSO COM (Jul 08)
- Re: L0pht 'Domino' Vulnerability is alive and well Ryan Thomas Tecco (Jul 09)
- Communicator 4.[56]x, JavaScript used to bypass cookie settings Peter W (Jul 09)
- (no subject) Anonymous (Jul 09)
- Re: your mail Darren Reed (Jul 12)
- Navigator cookie security Oliver Lineham (Jul 09)
- Re: Communicator 4.[56]x, JavaScript used to bypass cookie settings Claudio Telmon (Jul 13)
- Solaris 2.6/7 NTP permissions problem john_smith () RD QMS COM (Jul 14)
- Privacy concerns in interMute John Temples (Jul 16)
- Re: Solaris 2.6/7 NTP permissions problem Casper Dik (Jul 16)