A glitch in Domino?

Bug-busting group L0pht posts an advisory on its Web site warning Lotus Domino users and application developers of a glitch.

3 min read
Bug-busting group L0pht has posted an advisory on its Web site warning Lotus Domino users and application developers of a glitch which occurs with some applications based on the Web server and opens up sensitive information to any user on the Internet.

The Boston, Massachusetts-based company has received reports regarding the "vulnerability." Those reports say the glitch affects Web sites created by Lotus Business Partners who provide training services and accept credit cards over the Web. However, in theory, L0pht said the problem could extend to any e-commerce site.

Although it has not released an official comment on the advisory, a Lotus spokesman told CNET News.com that the company is aware of the alleged glitch and is currently contacting customers to figure out its legitimacy. It is expected to respond to the advisory soon.

L0pht said it contacted Lotus Business Partners, which confirmed that it is affected by the problem, but the bug-busting group said it does not want to "place blame on the software vendor or on the applications developers.

"The advisory is designed to alert customers that they should be wary of putting sensitive information into Web applications," LOpht said.

Detailing the problem, L0pht said Web users can navigate to the portion of the site used for processing registration and payment information and remove everything to the right of the database name in the URL, typically ending in .nsf .

In one example, all the database views were exposed which included a view containing previous registrations and a view containing "All documents." These views then could be accessed by clicking on the link and browsing the data within the view, which typically consists of business and customer names, addresses, phone numbers, and payment information.

The problem may be related to the way in which the application built on the Domino platform was designed, or just plain ignorance on the part of the application developer, but because the biggest concern by consumers using the Web to purchase goods and participate in e-commerce is protecting sensitive information, the issue warrants attention, L0pht said.

To test for the vulnerability, L0pht advises users to navigate through a Domino site, and once a database has been accessed, remove the information after the .nsf or after the first set of numbers following the server portion of the URL and replace it with "?Open". If the user is then presented with a list of views, the site is potentially vulnerable to allow anonymous users access to the information contained within the views in that list.

For a temporary solution, the sites affected could have been protected using reader and author names fields to prevent unauthorized access to their clients data. The internal registration views could have been hidden from anonymous users. Additionally, every Domino site should disallow anonymous access for at least these databases: names.nsf; catalog.nsf; log.nsf; domlog.nsf; and domcfg.nsf.

For more information L0pht recommends contacting the author of the advisory via email at nardo@L0pht.com.

In January, L0pht posted another advisory on Domino. The problem was not an actual product bug, but instead a glitch in the way the Domino package is configured by end users. Because of the glitch, any Web user could write to and exploit remote server drives and change server configuration files, according to L0pht. The design flaw again gave unauthorized users unrestricted access to default Domino databases.