|
|
|
|
| |
Lotus Domino is an Application server designed to aid workgroups and collaboration on projects and offers SMTP, POP3, IMAP, LDAP, and web services that allow users to interact with Lotus Notes databases.
A Lotus Notes databases designer can create a navigator that allows a user to navigate the database for documents and each database comes with a default navigator called $defaultNav. This default navigator exposes a list of visible views to the user. If a web user was to access the default navigator over the web, this may pose a mild security risk and as such a work around was created to prevent this. This work around is to create a URL to redirection mapping so that if anyone were to make a request for the default navigator they would be redirected elsewhere. NSIR have found that the current advice is wanting and is trivial to bypass and therefore the default navigator can still be accessed. |
| |
Credit:
The information has been provided by NGSSoftware Insight Security Research.
|
| |
Vulnerable systems:
Lotus Domino Web Server 5.x on all operating systems
The current advice dictates that a URL to redirection mapping be created such that any requests for */*.nsf/$defaultNav* are redirected. This is lacking in two ways:
First, if a user makes a request using the database's ReplicaID the pattern matching is broken and access to the default navigator is gained.
Second, if any of the characters are URL encoded, i.e. the characters are changed from their ASCII to hex equivalent, then again, access to the default navigator is granted as the pattern matching is broken.
This happens because Domino web server does not decode the request before deciding whether the request should be redirected or not.
Fix information:
First, it must be noted that ensuring the database objects are secure with access control lists is far more preferable to relying on security through obscurity, which essentially the workaround to prevent access to the default navigator is. However, some administrators may still wish to prevent this so NISR suggest taking the following steps:
A Domino administrator needs to create a URL redirection mapping for every possibility and when you consider /$%44efaultNav works just as well as /$%64efaultNav you have to take into case sensitivity. Due to this, it would be far too impractical to have a mapping for every variant. It is suggested therefore that only the first two characters be taken into consideration - $d. This way only 8 mappings need to be created:
*/%24D*
*/%24d*
*/%24%64*
*/%24%44*
*/$d*
*/$D*
*/$%64*
*/$%44*
To create a URL -> Redirection mapping:
Open the servers view and then click on the Actions menu bar item then select Web -> Create a URL Mapping/Redirection. This will open up the Mapping/Redirection form. On the Basics tab, you want to set up a "URL -> Redirection" action. If the server in question is a virtual server from the site information tab, enter its IP address and optionally a comment. In the mapping tab enter in the "Incoming URL path" edit box enter one of the eight listed above. In the "Redirection URL string" edit box, enter a URL where you would have the person redirected to - for example the homepage. You need not enter anything in the "Administration" tab. Once all 8 have been added, save and close the document and issue from the Domino console the command "tell http restart" for the changes to take effect.
Note that if you substitute the leading slash with %2F or %5C the redirection mapping still works:
http://server/foo.nsf%2f$defaultNav
Produces a 500 Unable to process request response,
Where as
http://server/foo.nsf%5C$defaultNav
Performs the redirection.
NextGenSS Insight Security Research have also tested variants of double URL encoding and UTF-8 encoding and these seem not to work - i.e. an attacker cannot get access to the default Navigator. If you have a normal database view which starts with the characters "$d" then this fix will prevent access to this view from over the web as any request that contains with "/$d" will be redirected. To work around this, you could set up an alias for this view.
Reiterating, if access control lists are set properly on the database and its objects then even if someone were able to access the default navigator then the risk posed is greatly minimized.
Lotus were informed about this and they agreed that relying on security through obscurity measures was inadequate and the best way to ensure security of a Domino application was through the use of proper access control lists.
|
|
|
|
|
|
|
|
|
|
