Bugtraq mailing list archives
Black Watch Labs Vulnerability Alert
From: blackwatchlabs () PERFECTOTECH COM (Black Watch Labs)
Date: Fri, 19 May 2000 18:55:02 -0700
Dear Security Professional, The following vulnerability: "Lotus Domino Server Misconfiguration Documents Can Be Modified over the Web" is in the text of the message below and has just been posted to the Black Watch Labs Web site at http://www.perfectotech.com/blackwatchlabs/ Thank you, Black Watch Labs If you wish to unsubscribe to this Black Watch Labs email update, please click on reply and type the word "Unsubscribe" in the subject line. ---------------------------------------------------------------------------------------------- Name: Lotus Domino Server Misconfiguration Documents Can Be Modified over the Web. Black Watch Labs ID: BWL-00-07 Date Released: May 19th, 2000 Category: Application(HTML) Products affected: Lotus Domino Server Summary: Documents(records) available for viewing in Lotus Domino server may be edited over the web, if the access rights are not properly configured for them. Analysis: The access rights for documents available through Lotus Domino server allow users to edit them, although the URL contains only the open (i.e. view) operation. This can be done easily via modifying the URL, so that instead of OpenDocument, the browser will send EditDocument. Exploits: As hinted above. A typical URL would look like: http://www.site-running-domino.server/database.nsf/whatever-this/whatever-that?OpenDocument In such case, the exploit would be to send http://www.site-running-domino.server/database.nsf/whatever-this/whatever-that?EditDocument instead. Sites that have their access control in place would pop-up an authentication window. Sites that are vulnerable will simply display the document in Edit view, allowing the attacker to modify the document data. Number of affected sites/pages/users: We examined sites that run Lotus Domino server, and found several ones that allow editing. We estimate that more than 10% of the sites possess such vulnerability. Among these: ? A well known USA university, offering a large database of professionals and experts. Each record contains a contact info, field of expertise, education, etc. for an individual. Each such record can be edited and modified. ? A site devoted for one of the largest cities in the US; the site contains an editors choice section for restaurants, which can be edited and modified. ? A US government organizations site that contains a large database the database can be modified. ? A US National Institute site whose content is loaded as database queries. Parts of the site can be defaced. Vendor Patch or workaround: Each site running a Domino server is encouraged to ensure that its databases are well-configured, so that the outside user is not allowed to change records. Response received from Lotus: This is not a Defect. The arguments passed in the URL are not a security feature. In this instance the ACL of the database must be configured properly to determine if a document can be edited or not. Failure to do this is considered poor design technique. Commands to edit a document are passed via URL whether through a button or manually typed in. It is up to the designer to properly configure a security scheme to determine how the command will be acted on. References and Links: Lotus Domino server: http://www.lotus.com/home.nsf/welcome/domino Note about our process of contacting the vendor: We always contact the vendor and give them a few weeks to respond. Some of them choose to fix it (see DBMan advisory for example), and some of them don't. However, when the advisory gets published frequently the vendor will fix it. So, overall the advisories not only educate security professionals on the problem, they also encourage vendors to fix the holes. About Black Watch Labs (www.perfectotech.com/blackwatchlabs/) Black Watch Labs are a research group operated by Perfecto Technologies Inc., leader in application security products. Black Watch Labs were established in order to further the knowledge of the e-commerce community in the arena of web application security management. Black Watch Labs publish security advisories regularly, which are maintained at http://www.perfectotech.com/blackwatchlabs/, and are also posted to relevant security lists and websites. Black Watch Labs also operate a web application security mailing list, which can be subscribed to here (http://www.perfectotech.com/blackwatchlabs/). For more info about Black Watch Labs and Web Application Security, please call (650) 625-8101 or mail to BlackWatchLabs () phaser perfectotech com About Perfecto Technologies (www.perfectotech.com) Founded in 1997 and headquartered in Mountain View, Calif., Perfecto Technologies pioneered the market for Web Application Security Management software. AppShield, Perfectos initial product offering, is the first to provide extreme security for customer-facing applications in dynamic eBusiness environments. Privately held, Perfecto is funded by blue-chip venture capital firms and industry leaders, including Sequoia Capital, Walden, and Intel Corporation. More information about Perfecto Technologies may be obtained by visiting the Companys Website at www.perfectotech.com or by calling the Company directly at (650) 625-8101. Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved. Permission is hereby granted to reproduce and distribute the application security alerts herein in their entiretly, provided the information, this notice and all other Perfecto Technologies marks remain intact. Specific Limitations on Use of the Perfecto Technologies Website THIS SITE INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS SITE IS SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND OTHER COUNTRIES. NO WARRANTY Any material furnished by Perfecto Technologies is furnished on an as is basis and may change without notice. Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent, trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Current thread:
- Re: Fwd: [nohack] Yet another way to disguise files. Dan Harkless (May 17)
- Re: Fwd: [nohack] Yet another way to disguise files. Larry Olin Horn (May 18)
- Nasty XFree Xserver DoS Chris Evans (May 18)
- MetaProducts Offline Explorer Directory Traversal Vulnerability Servio Medina (May 22)
- Vulnerability in infosrch.cgi SGI Security Coordinator (May 22)
- Re: Nasty XFree Xserver DoS Weston Pawlowski (May 22)
- <Possible follow-ups>
- Re: Fwd: [nohack] Yet another way to disguise files. Dan Harkless (May 18)
- [RHSA-2000:028-02] Netscape 4.73 available bugzilla () REDHAT COM (May 19)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 19)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 19)
- Re: Fwd: [nohack] Yet another way to disguise files. mock () ACTIVESTATE COM (May 19)