[NEWS] Lotus Domino Default Navigator Protection Bypass
From: support@securiteam.comDate: 11/07/01
- Previous message: support@securiteam.com: "[UNIX] Progress Database PROMSGS Format String Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Lotus Domino Default Navigator Protection Bypass Message-Id: <20011107212321.70033138C0@mail.der-keiler.de> Date: Wed, 7 Nov 2001 22:23:21 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Lotus Domino Default Navigator Protection Bypass
------------------------------------------------------------------------
SUMMARY
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP, and web
services that allow users to interact with Lotus Notes databases.
A Lotus Notes databases designer can create a navigator that allows a user
to navigate the database for documents and each database comes with a
default navigator called $defaultNav. This default navigator exposes a
list of visible views to the user. If a web user was to access the default
navigator over the web, this may pose a mild security risk and as such a
work around was created to prevent this. This work around is to create a
URL to redirection mapping so that if anyone were to make a request for
the default navigator they would be redirected elsewhere. NSIR have found
that the current advice is wanting and is trivial to bypass and therefore
the default navigator can still be accessed.
DETAILS
Vulnerable systems:
Lotus Domino Web Server 5.x on all operating systems
The current advice dictates that a URL to redirection mapping be created
such that any requests for */*.nsf/$defaultNav* are redirected. This is
lacking in two ways:
First, if a user makes a request using the database's ReplicaID the
pattern matching is broken and access to the default navigator is gained.
Second, if any of the characters are URL encoded, i.e. the characters are
changed from their ASCII to hex equivalent, then again, access to the
default navigator is granted as the pattern matching is broken.
This happens because Domino web server does not decode the request before
deciding whether the request should be redirected or not.
Fix information:
First, it must be noted that ensuring the database objects are secure with
access control lists is far more preferable to relying on security through
obscurity, which essentially the workaround to prevent access to the
default navigator is. However, some administrators may still wish to
prevent this so NISR suggest taking the following steps:
A Domino administrator needs to create a URL redirection mapping for every
possibility and when you consider /$%44efaultNav works just as well as
/$%64efaultNav you have to take into case sensitivity. Due to this, it
would be far too impractical to have a mapping for every variant. It is
suggested therefore that only the first two characters be taken into
consideration - $d. This way only 8 mappings need to be created:
*/%24D*
*/%24d*
*/%24%64*
*/%24%44*
*/$d*
*/$D*
*/$%64*
*/$%44*
To create a URL -> Redirection mapping:
Open the servers view and then click on the Actions menu bar item then
select Web -> Create a URL Mapping/Redirection. This will open up the
Mapping/Redirection form. On the Basics tab, you want to set up a "URL ->
Redirection" action. If the server in question is a virtual server from
the site information tab, enter its IP address and optionally a comment.
In the mapping tab enter in the "Incoming URL path" edit box enter one of
the eight listed above. In the "Redirection URL string" edit box, enter a
URL where you would have the person redirected to - for example the
homepage. You need not enter anything in the "Administration" tab. Once
all 8 have been added, save and close the document and issue from the
Domino console the command "tell http restart" for the changes to take
effect.
Note that if you substitute the leading slash with %2F or %5C the
redirection mapping still works:
http://server/foo.nsf%2f$defaultNav
Produces a 500 Unable to process request response,
Where as
http://server/foo.nsf%5C$defaultNav
Performs the redirection.
NextGenSS Insight Security Research have also tested variants of double
URL encoding and UTF-8 encoding and these seem not to work - i.e. an
attacker cannot get access to the default Navigator. If you have a normal
database view which starts with the characters "$d" then this fix will
prevent access to this view from over the web as any request that contains
with "/$d" will be redirected. To work around this, you could set up an
alias for this view.
Reiterating, if access control lists are set properly on the database and
its objects then even if someone were able to access the default navigator
then the risk posed is greatly minimized.
Lotus were informed about this and they agreed that relying on security
through obscurity measures was inadequate and the best way to ensure
security of a Domino application was through the use of proper access
control lists.
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Progress Database PROMSGS Format String Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
