COMMAND

    Lotus Domino

SYSTEMS AFFECTED

    All platforms

PROBLEM

    Weld Pond (L0pht) posted following.   It was found by nardo.   The
    vulnerability affects websites created by Lotus Business  Partners
    who provide training services  and accept credit card  numbers via
    the web; however,  in theory the  vulnerabilities could extend  to
    any  e-Commerce  site.   Several  Lotus'  Business  Partners  were
    confirmed to be affected by this.

    Web  users  can  navigate  to  the  portion  of  the site used for
    processing  registration  and/or  payment  information  and remove
    everything  to  the  right  of  the  database name in the URL (the
    databases  typically  end  in  .nsf.)  In  one  example  of   this
    vulnerability,  all  the  database  views  were then exposed which
    included  a  view  containing  previous  registrations  and a view
    containing "All Documents".  These views could then be accessed by
    clicking  on  the  link  and  browsing  the  data  within the view
    (typically consisting of  business and customer  names, addresses,
    phone numbers, and payment information.)  In another example,  the
    views  were  protected  from  direct  browsing, but could still be
    searched using  the standard  URL format  for searches  in Domino.
    This  particular  method  would  then  allow  the  database  to be
    searched for  everyone who  paid with  a specific  credit card  or
    everyone who lives within a certain city.

    To test, navigate through a  Domino site, and once a  database has
    been accessed, remove the information after the .nsf or after  the
    first set of numbers following  the server portion of the  URL and
    replace it with "?Open".  If you are then presented with a list of
    views, your  site is  potentially vulnerable  to having  anonymous
    users access  the information  contained within  the views listed.
    Lotus    recommends    blocking    this    access    through     a
    $$ViewTemplateDefault.   If  this  technique  is  used, the second
    vulnerability comes  into play,  which is  to access  the view  by
    using the following URL format:

        http://www.server.com/database.nsf/viewname?SearchView&Query="*"

    This  technique  will  bypass  the  $$ViewTemplateDefault  if  the
    database is full-text indexed.  Many full text indexed sites  were
    found vulnerable  to this  "feature" that  their developers didn't
    plan for.

SOLUTION

    The  sites  affected  could  have  been protected using reader and
    author  names  fields  to  prevent  unauthorized  access  to their
    client's sensitive data.  The internal registration views could've
    been  hidden  from  anonymous  users.   They  should've included a
    $$SearchTemplateDefault  with  no  $$ViewBody  field  to block any
    unwelcome  searching.   Additionally,  every  Domino  site  should
    disallow anonymous access for at least these databases: names.nsf;
    catalog.nsf; log.nsf; domlog.nsf; domcfg.nsf.