'Lotus Domino Default Navigator Protection By-pass (#NISR29102001B)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Lotus Domino Default Navigator Protection By-pass (#NISR29102001B)
From:       "NGSSoftware Insight Security Research" <nisr () nextgenss ! com>
Date:       2001-10-31 0:14:28
[Download RAW message or body]

NGSSoftware Insight Security Research Advisory

Name:    Lotus Domino Default Navigator Protection By-pass
Systems Affected:  Lotus Domino Web Server 5.x on all operating systems
Severity:  Low
Vendor URL:   http://www.lotus.com/
Author:   David Litchfield (david@nextgenss.com)
Date:   29th October 2001
Advisory number: #NISR29102001B


Description
***********
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web services
that allow users to interact with Lotus Notes databases.

A Lotus Notes databases designer can create a navigator that allows a user
to navigate the database for documents and each database comes with a
default navigator called $defaultNav. This default navigator exposes a list
of visible views to the user. If a web user was to access the default
navigator over the web this may pose a mild security risk and as such a work
around was created to prevent this. This work around is to create a URL to
Redirection mapping so that if anyone were to make a request for the the
default navigator they would be redirected elsewhere. NSIR have found that
the current advice is wanting and is trivial to bypass
and therefore the default navigator can still be accessed.



Details
*******
The current advice dictates that a URL to Redirection Mapping be created
such that any requests for */*.nsf/$defaultNav* are redirected. This is
lacking in two ways.

Firstly, if a user makes a request using the database's ReplicaID the
pattern matching is broken and access to the default navigator is gained.

Secondly if any of the characters are URL encoded, i.e. the characters are
changed from their ASCII to hex equivalent, then again access to the default
navigator is granted as the pattern matching is broken.

This happens because Domino web server does not decode the request before
deciding whether the request should be redirected or not.

Fix Information
***************
Firstly, it must be noted that ensuring the database objects are secure with
access control lists is far more preferable to relying on security through
obscurity, which essentially the workaround to prevent access to the default
navigator is. However, some administrators may still wish to prevent this so
NISR suggest taking the following steps:




A Domino administrator needs to create a URL redirection mapping for every
possibility and when you consider /$%44efaultNav works just as well as
/$%64efaultNav you have to take into case sensitivity. Due to this it would
be far too impracticle to have a mapping for every variant. It is suggested
therefore that only the first two characters be taken into consideration -
$d. This way only 8 mappings need to be created:

*/%24D*
*/%24d*
*/%24%64*
*/%24%44*
*/$d*
*/$D*
*/$%64*
*/$%44*

To create a URL -> Redirection mapping:

Open the servers view and then click on the Actions menu bar item then
select Web -> Create a URL Mapping/Redirection. This will open up the
Mapping/Redirection form. On the Basics tab you want to set up a "Url ->
Redirection" action. If the server in question is a virtual server from the
site information tab enter its IP address and optionally a comment. In the
mapping tab enter in the "Incoming URL path" edit box enter one of the eight
listed above. In the "Redirection URL string" edit box enter a url where
you'd have the person redirected to - for example the homepage. You need not
enter anything in the
"Administration" tab. Once all 8 have been added save and close the document
and issue from the Domino console the command "tell http restart" for the
changes to take effect.

Note that if you substitute the leading slash with %2F or %5C the
redirection mapping still works:

http://server/foo.nsf%2f$defaultNav
produces a 500 Unable to process request response,

where as

http://server/foo.nsf%5C$defaultNav

performs the redirection.


NextGenSS Insight Security Research have also tested variants of double URL
encoding and UTF-8 encoding and these seem not to work - i.e. an attacker
cannot get access to the default Navigator. If you have a normal database
view which starts with the characters "$d" then this fix will prevent access
to this view from over the web as any request that contains with "/$d" will
be redirected. To work around this you could set up an alias for this view.

Reiterating, if access control lists are set properly on the database and
its objects then even if someone were able to access the default navigator
then the risk posed is greatly minimized.

Lotus were informed about this and they agreed that relying on security
through obscurity measures was inadequate and the best way to ensure
security of a Domino application was through the use of proper access
control lists.


A check for this issue already exists in DominoScan, NGSSoftware's Lotus
Domino application security scanner, of which, more information is available
from http://www.nextgenss.com/dominoscan.html . NISR have also written a
white paper on how to secure Lotus Domino's web server available from
http://www.nextgenss.com/papers.html

-----------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic