[ http://www.rootshell.com/ ]

`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'
                 L0pht Security Advisory
    URL Origin:  http://www.l0pht.com/advisories.html
  Release Date:  July 31, 1998   Application:  Notes 4.6+ Client
 Operating Sys:  Any
      Severity:  Users can overwrite/create system files
        Author:  nny <nny@l0pht.com>
  Patch Status:  Lotus has been made aware of this vulnerabilities
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'

I. Description

The L0pht has received reports regarding a vulnerability in some
implementations of Lotus Domino via the Notes Client. Information about
this vulnerability has been posted to various public mailing lists and
newsgroups.

Versions 4.6+ of the Lotus Notes Client appear to be vulnerable; lower
version may also be vulnerable but at this time are untested.  The
vulnerability affects companys that use Lotus Notes primarily for
development purposes or as an Intranet. Also any servers that were
distributed with the Lotus Notes Client that are not running the HTTPD
task by default are vulnerable.  Note: This assumes Domino servers have
been patched due to previous advisory.

Additionally, previous vulnerabilities, such as the one presented by
mattw@l0pht.com (Web users can write to remote server drives and change
server configuration files), now come into play once more with the
addition of the vulnerability in the Notes Client. No new vulnerability
exists in Lotus Domino that run the HTTP task by default.

II. Impact

Remote intruders can potentially retreive: in development databases,
confidential company records, etc etc. All of the above can be achieved by
connecting to a vulnerable Notes Client.

IIa. To Test

From within Lotus Notes 4.6+ Client:
1. Open any given database
2. Click Actions -> Preview in Web Browser

This should have launched your designated web browser and connected to
http://199.99.99.99/database or something similar. Even though you only
have the Notes Client installed on the machine and not the server, the
HTTPD task is now running and accepting connections on port 80. Thus
anyone on the Internet could then do http://199.99.99.99/domcfg.nsf/?open
or even http://199.99.99.99 (to get a listing of the available
databases). Subsequently you could open the log and see the database(s)
the given user was recently accessing or modifying.

From this point you can search around and basically manipulate documents
that do a wide variety of things. Domino URL commands (which can be used
to edit, delete, and manipulate files via the web) can be found in all
documentation as well as at:
http://www.notes.net/today.nsf/cbb328e5c12843a9852563dc006721c7/ca5230f9baf39fe
1852564b5005e8419

Note: Once the Notes Client is closed the HTTPD task is also.

III. Solution

ACLs need to be edited manually by a competent admin to be ensured of
security.  Take, for example, if domlog.nsf could be read, that alone is
a security breech.

Workaround
Setup routing filters to dissallow access to the http port of
Notes Client only machines.

--------------------------------------------------------------------------

The authoritative version of this file is at:
http://www.l0pht.com/advisories.html

--------------------------------------------------------------------------

From bigsmoke@hotmail.com Thu Aug  6 13:43:22 1998
Date: Thu, 06 Aug 1998 13:28:26 PDT
From: Marcus Fontenot <bigsmoke@hotmail.com>
To: submission@rootshell.com
Subject: Lotus Notes 4.6 preview in web is not a bug

Perhaps you can review this knowledgebase article from Lotus.
Technote 155314, this article was written 10/17/97.

Security Precaution When Using Notes 4.6 "Preview in Web Browser" 
Feature

Problem:

When you use the feature "Preview in Web Browser" on a Notes 4.6 
Designer client while designing a Web application, other users can 
access Notes databases on your PC.

Solution:

When you use the feature "Preview in Web Browser" your machine becomes, 
in actuality, a Web server.  You are truly previewing the application 
via HTTP, with databases published through an HTTP Web Server task.  
This continues until you select the following option from the menus:

"File, Tools, Stop Local Web Preview Process"  

To prevent unauthorized access to your computer when you use the 
"Preview in Web Browser" feature, database access levels in the Access 
Control Lists (ACLs) for all databases relative to the Notes data 
directory must be set appropriately.  This means no Anonymous access 
should be configured for databases you want to hide from other users, 
and the Default access for those databases should be set to "No Access."  
These are the same user access guidelines used for any Domino Web 
server.

Note: To successfully preview a target database, however, the user 
Anonymous must have at least Read access in that database's ACL.  
Likewise, you need Designer access for Domino to see forms.  So, the 
user Anonymous must be given access to databases you wish to preview, 
but Default should not be granted any access.

Lotus stresses the importance of this security precaution, as you can 
inadvertently expose your machine to anyone on your network, or to 
anyone who can PING you via your computer's IP address.  While the local 
machine has the ability to perform ACL authentication challenges, the 
client's Personal Name and Address Book does not have the Person records 
which are used to authenticate.  Therefore, to avoid potential security 
breaches, you need to take the appropriate steps to protect your 
machines when using the Notes Designer.

*	Set all database Default ACL entries to "No Access."

*	Ensure that "Anonymous" has some form of access to the databases under 
design.

*	Use selective replication to limit the amount of data stored on the 
local machine. 

*	When the design work is done, Anonymous access should be removed (or 
left in place, if appropriate for the server-based database).


Supporting Information:

Lotus is currently investigating creating (and posting to the Web) an 
Agent that performs these security steps easily, in an automated 
fashion.  This document will be updated if such a tool is published.


© 1997 Lotus Development Corporation, an IBM subsidiary. All rights 
reserved. 
Material may not be reproduced or distributed in any form without 
permission.


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com