Lotus Domino View ACL by-pass
October 29th, 2001NGSSoftware Insight Security Research Advisory
Name: Lotus Domino View ACL by-pass
Systems Affected: Lotus Domino Web Server 5.x on all operating systems
Severity: Possibly high
Vendor URL: http://www.lotus.com/
Author: David Litchfield (david@nextgenss.com)
Date: 29th October 2001
Advisory number: #NISR29102001C
Description
***********
Lotus Domino is an Application server designed to aid workgroups and
collaboration on projects and offers SMTP, POP3, IMAP, LDAP and web
services that allow users to interact with Lotus Notes databases.
A Lotus Notes database contains documents which are organized into views.
Access control lists can be applied to the database itself, views
and documents. If a user has been denied access to a view, NISR have
discovered that it is possible to by-pass the permissions set on that view
and access the documents one would expect it to protect.
Details
*******
The reason this vulnerability exists is because even though a document
might exist in one view it can be accessed from any view, that is
all documents in a Lotus Notes database can be access from any view.
As an example of this examine the Statistics Reporting database, statrep.nsf.
If you open the Events view:
http://server/statrep.nsf/136/?OpenView
some documents will exist. (136 is the NoteID of the Events view)
If you open the hidden $Alarms view
http://server/statrep.nsf/$alarms/?OpenView
no documents exist.
Request one of the documents from the Events view
http://server/statrep.nsf/136/8F6?OpenDocument
(8F6 is the NoteID of the first document)
Note the text of this document and then request
http://server/statrep.nsf/$alarms/8F6?OpenDocument
The same document is returned, even though $alarms has no documents.
Now,if you apply access controls on the Events view and request
http://server/statrep.nsf/136/8F6?OpenDocument
the server will return an Illegal Argument exeception error. This is
due to the fact that the server expects credentials.
However, requesting
http://server/statrep.nsf/$alarms/8F6?OpenDocument
still returns the document even though access to the view the
document exists in disallowed.
The reason we can request any document through any view is due to the
fact that a NoteID is simply a pointer to a location in the database file
and as long as the server receives its expected syntax, i.e. database,
view then document it will service the request. By making a request with
a NoteID we’re simply forcing the server to return the contents of an
arbitrary location within the file.
Fix Information
***************
The solution to this problem is to ensure that,if you are applying ACLs to a view,
the documents in that view are also protected.
Lotus were informed about this issue and their response was that applying ACLs
to a view protected only the view and not the documents themselves and that
they, too, should have access control lists applied.
NISR consider that the difference between expected and actual behaviour
is considerable enough that many Lotus administrators may be caught out
by this and should ensure that their sensitive documents are indeed
protected.
A check for this issue already exists in DominoScan, NGSSoftware’s
Lotus Domino application security scanner, of which, more information
is available from http://www.nextgenss.com/dominoscan.html . NISR
have also written a white paper on how to secure Lotus Domino’s web
server available from http://www.nextgenss.com/papers.html
