Managing access control lists and security threats

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)

Subject: Managing access control lists and security threats

Feedback Type: Suggestion

Product Area: Domino Server

Technical Area: Security

Platform: ALL

Release: 8.5.3

Reproducible: Always

I have found a potential security hole within domino. After logging into the main site www.example.com, navigate to www.example.com/names.nsf. You will be suprised at the level of detailed information hackers could use. With a generic user account, I was able to read usernames and gain information about the organization and find people behind the scenes. I was able to look at server settings and possibably find incorrect settings which could allow me to backdoor my way in. List go on. You also can replace the "names.nsf" database with "admin4.nsf" or a host of other commonly used notes databases. After obtaining information, you can even find databases that were created by users, developers, or administrators and gain access to those resources. I however wasn't able to write or edit any document. I believe this is a multiple server authentication (SSO) issue only and wasn't able to replicate it with single server authentication.

Default access control is for users that are not listed in the acl.

Anonymous access control is for users that haven't yet logged in, respectively.

As an administrator the less knowledge one obtains the less a risk they are. As a general standard or security 101 remove permission for the "Default" and "anonymous" groups to databases. Also use appropriate access controls for users and groups to mission critical databases.

Hacking is bad, Protecting is good. Don't use this in evil adventures. thanks,

Feedback number WEBB8UKSXN created by ~John Opfreevitch on 05/23/2012

Status: Open
Comments: