Vulnerability

    Lotus Domino Server

Affected

    Web Applications residing on top of Lotus Domino server.

Description

    Following is  based on  Black Watch  Labs Advisory.   Lotus Domino
    provides an elaborate  and rich Access  Control Lists (ACLs)  that
    control the access of objects, e.g. web pages.  Some applications,
    however, do  not employ  ACLs properly,  and rely  on a successful
    user log-in procedure as the only security measure for  protection
    against illegal access. Such mechanism can be easily bypassed, and
    the web pages can be viewed by an unprivileged user.

    Suppose that  the application  has page  A (which  should be world
    readable), with a link to page B, which should be readable only to
    privileged  users.   Also  suppose  that  this  application is not
    properly configured,  that is,  both A  and B  are viewable to the
    anonymous web  user (with  respect to  their ACLs).   Finally, the
    link from A to B is such that it pops-up a log-in window (this  is
    done by appending a "&login" to the link).  The application  seems
    to require a valid log-in before accessing the privileged page  B,
    and  indeed,  failure  to  provide  a  valid  log-in results in an
    error-page, rather than page B.  However, it the attacker inspects
    the link from A to B, and manually removes the “&login”, and  then
    requests this  link (i.e.  attempts to  access page  B), then this
    attacker's request is granted, and page B is presented to him/her.
    It should  be stressed  that the  attacker did  not bypass the ACL
    mechanism provided  by Lotus  Domino.   The problem  here is  that
    the application falsely assumed that the login phase is  mandatory
    for accessing page  B, although page  B's ACL allows  all possible
    users to  view it;  where in  fact, the  “&login” parameter cannot
    force the  user to  actually undergo  the login  phase, and  Lotus
    Domino does not  enforce going through  a login phase  in order to
    get the next page.

Solution

    No patch  or workaround  available at  the time  of this  release.
    The problem described on the defect report is not a Domino  issue.
    As stated above both pages (A+B) are allowing anonymous access  in
    the  ACL.   Therefore  if  a  user  bypasses  the Login prompt (as
    described) then the  user will be  granted whatever access  is set
    in  the  ACL.   A  properly  configured  ACL  is *KEY* to Domino's
    security.    This is  NOT a  Domino code  defect -  the product is
    working as designed. At least so they say at Lotus.