NGSSoftware Insight Security Research Advisory

Name: Lotus Domino Default Navigator Protection By-pass
Systems Affected: Lotus Domino Web Server 5.x on all operating systems
Severity: Low
Vendor URL: http://www.lotus.com/
Author: David Litchfield (davidnextgenss.com)
Date: 29th October 2001
Advisory number: #NISR29102001B

Description
***********
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web
services that allow users to interact with Lotus Notes databases.

A Lotus Notes databases designer can create a navigator that allows a
user to navigate the database for documents and each database comes with
a default navigator called $defaultNav. This default navigator exposes a
list of visible views to the user. If a web user was to access the
default navigator over the web this may pose a mild security risk and as
such a work around was created to prevent this. This work around is to
create a URL to Redirection mapping so that if anyone were to make a
request for the the default navigator they would be redirected
elsewhere. NSIR have found that the current advice is wanting and is
trivial to bypass and therefore the default navigator can still be
accessed.

Details
*******
The current advice dictates that a URL to Redirection Mapping be created
such that any requests for */*.nsf/$defaultNav* are redirected. This is
lacking in two ways.

Firstly, if a user makes a request using the database's ReplicaID the
pattern matching is broken and access to the default navigator is
gained.

Secondly if any of the characters are URL encoded, i.e. the characters
are changed from their ASCII to hex equivalent, then again access to the
default navigator is granted as the pattern matching is broken.

This happens because Domino web server does not decode the request
before deciding whether the request should be redirected or not.

Fix Information
***************
Firstly, it must be noted that ensuring the database objects are secure
with access control lists is far more preferable to relying on security
through obscurity, which essentially the workaround to prevent access to
the default navigator is. However, some administrators may still wish to
prevent this so NISR suggest taking the following steps:

A Domino administrator needs to create a URL redirection mapping for
every possibility and when you consider /$%44efaultNav works just as
well as /$%64efaultNav you have to take into case sensitivity. Due to
this it would be far too impracticle to have a mapping for every
variant. It is suggested therefore that only the first two characters be
taken into consideration - $d. This way only 8 mappings need to be
created:

*/%24D*
*/%24d*
*/%24%64*
*/%24%44*
*/$d*
*/$D*
*/$%64*
*/$%44*

To create a URL -> Redirection mapping:

Open the servers view and then click on the Actions menu bar item then
select Web -> Create a URL Mapping/Redirection. This will open up the
Mapping/Redirection form. On the Basics tab you want to set up a "Url ->
Redirection" action. If the server in question is a virtual server from
the site information tab enter its IP address and optionally a comment.
In the mapping tab enter in the "Incoming URL path" edit box enter one
of the eight listed above. In the "Redirection URL string" edit box
enter a url where you'd have the person redirected to - for example the
homepage. You need not enter anything in the "Administration" tab. Once
all 8 have been added save and close the document and issue from the
Domino console the command "tell http restart" for the changes to take
effect.

Note that if you substitute the leading slash with %2F or %5C the
redirection mapping still works:

http://server/foo.nsf%2f$defaultNav
produces a 500 Unable to process request response,

where as

http://server/foo.nsf%5C$defaultNav

performs the redirection.

NextGenSS Insight Security Research have also tested variants of double
URL encoding and UTF-8 encoding and these seem not to work - i.e. an
attacker cannot get access to the default Navigator. If you have a
normal database view which starts with the characters "$d" then this fix
will prevent access to this view from over the web as any request that
contains with "/$d" will be redirected. To work around this you could
set up an alias for this view.

Reiterating, if access control lists are set properly on the database
and its objects then even if someone were able to access the default
navigator then the risk posed is greatly minimized.

Lotus were informed about this and they agreed that relying on security
through obscurity measures was inadequate and the best way to ensure
security of a Domino application was through the use of proper access
control lists.

A check for this issue already exists in DominoScan, NGSSoftware's Lotus
Domino application security scanner, of which, more information is
available from http://www.nextgenss.com/dominoscan.html . NISR have also
written a white paper on how to secure Lotus Domino's web server
available from http://www.nextgenss.com/papers.html

-----------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]