[thelist] Lotus Notes Web Security

Ron_Senykoff at BEAEROSPACE.COM Ron_Senykoff at BEAEROSPACE.COM
Mon Aug 6 14:17:40 CDT 2001


I know most people on this list aren't using Notes for web development...
but if you know somebody who is there are some very basic things that need
to be taken care of.  This weekend I discovered many sites that were wide
open.  Uncle Sam uses a lot of Notes, BTW... ;)  I did, however, inform the
admins of any sites I found to be open.  I am not a hacker, I am a
developer who discovered a problem.
**The information below is for security purposes and is not to be used for
illegal activity of any kind**
OK.  With that said...
Lotus Notes databases end in the extension *.nsf (Notes Storage Facility).
So... go out there to google and do a search for home.nsf, website.nsf,
yomamma.nsf, etc and you'll get a bunch of domino servers as results.
Pick a server.  http://www.daServerYouFoundFromGoogle.com/website.nsf
and add $DefaultNav to the end so you get
http://www.daServerYouFoundFromGoogle.com/website.nsf/$DefaultNav
If you get a list or URLs, you are seeing something the developer never
intended for you to see.  This is the default navigator for the application
(website.nsf), which gives a list of all views.  Click on a view that looks
interesting and you should see a list of documents.  Open a document (it
may be a web page, for example).  Now change the end of the URL from
?OpenDocument to ?EditDocument.  In many cases this won't work, but in
many, it will return a form with the data in fields.  You could simply edit
the form and submit it and it would modify their page!  How crazy is that!
Also, many times people are collecting information from their site (email
addresses) and storing them.  If they havn't locked it down, you can grab
all the email addresses and other info that they submitted.  They will
usually be in a view called surveyResults or something super-obvious.
Remember, they didn't think you would see this.
HOW TO FIX:  The $DefaultNav can be prevented by the admin.  They need to
add a redirection document to the server web configuration.  This should
redirect *.nsf/$Default* to the homepage or an error page displaying the
user's IP or something.
Now, maybe they did lock down the web database, after all, it is viewable
from the web.  But... all Notes 4.6 + databases can be viewed from a
browser.  The server automatically translates them.  This means that they
may have never intended browser access and never thought about it.  But,
you can still maybe find it...  think of the company that has 1 notes
server and has the website + other apps on it.  It could be behind a
firewall, but port 80 is all you need...
Take your server
http://www.daServerYouFoundFromGoogle.com/website.nsf
and do this
http://www.daServerYouFoundFromGoogle.com/catalog.nsf
If you can see the catalog, you can get a list of all databases on that
server.  PLUS, you can see if there are other servers and see what they
have on them as well.  When I was poking around I found HR applications,
help desk request applications, all wide open.  Why?  They were intended to
be used by everybody in the company, so why lock them down?  The server is
behind the firewall...
HOW TO FIX:  Don't allow anonymous access to the freakin catalog.  The
catalog provides the biggest starting point a hacker could ask for.  It
lists every single database on the server and says to the hacker "Here's my
exact URL.  Come see if I had a good developer or not!"  Also, it lists
servers that may not be accessible from outside the firewall.  This info,
though, lets a hacker know what to attack once getting a trojan inside the
company.
Anyways, I hope this has been helpful to somebody.  Email me offlist if you
have any questions.  I really think Notes serves a great purpose and I
would hate for it to get a bad name because people left apps wide open.

-Ron





More information about the thelist mailing list