Domino flaw exposes databases
Many Lotus Domino users may soon be cursing the IBM subsidiary's developers if they don't find a way to fix a Domino security hole.
The problem is not an actual product bug, but instead a glitch in the way the Domino package is configured by end users, according to an alert issued by Boston-based L0pht, a hacker organization.
Because of the glitch, any Web user can write to and exploit remote server drives and change server configuration files, according to a L0pht email distributed yesterday. The design flaw can give unauthorized users unrestricted access to default Domino databases.
A Lotus representative said the company is aware of the security problem and has released a statement today addressing the issue. "We see the scenarios described in L0pht's alert as security administration issues, and in our documentation we encourage users and administrators to thoroughly examine and implement the precautions they must take to keep their servers secure."
To address the issues, Lotus has posted a technical note to its Web site that lists administration guidelines warning users of the problem and help them to understand how to avoid it.
But the company admitted it is still evaluating changes in default security settings and in administration features in the Domino product to make it easier for administrators to avoid configuration problems that can allow for breaches in security.
According to L0pht's alert, the problem stems from the mechanism used for setting the server's security permissions, called ACLs (access control lists).
The problem is that the database default ACLs are set to give every user "read and write" access to the database. The L0pht alert states that there is also no way to automatically reset the ACLs to grant read-only access for a large number of databases at a single time, so every ACL for every database needs to be manually edited by an administrator to make sure the ACL is set properly. These two issues alone guarantee that a number of databases on a server will be giving unwanted access to Web users, who can then write to server drives, read log files, and edit or delete database information, the L0pht alert warned.
Another problem is databases do not correctly inherit the ACL from the parent templates used to create them. Templates update the design, forms, and views of similar databases but do nothing to the ACL.
Finally, a L0pht member identified only as Matt W., wrote there is no tool that allows an administrator to test the security of their server and the server's configuration files.
In an email to CNET's NEWS.COM, Matt W. said these three problems combined are a "huge" security issue for Web site administrators. "Web users being able to write, read, delete from remote server drives is pretty significant."
Although he admits the problem doesn't render the product useless, he said the problems will be a huge headache for administrators. "Basically, the fact that this problem has cropped up in many Domino sites means that there needs to be a fix. Like in most cases, a bug in an application doesn't render it completely useless, but a Domino Administrator not knowing about this problem could be devastating to a site."
In related news, at next week's Lotusphere '98 in Orlando, Florida, Lotus will introduce the next version of the Domino product line, Domino 5.0. The company representative would not comment on whether these latest security issues would affect the next release.