Webadmin.nsf Vulnerabilities Reported in Advisory

Technote (FAQ)


Question

Is Lotus Domino vulnerable to the issues reported in the security advisory posted by Dr_insane titled "IBM Lotus Domino server 6.5.1 webadmin.nsf vulnerabilities"? The advisory address is as follows:

http://members.lycos.co.uk/r34ct/main/ibm_lotus_domino/lotus.txt

The issue is also reported by Secunia in their advisory titled "IBM Lotus Domino Server Quick Console Cross-Site Scripting". The advisory address is as follows:

http://secunia.com/advisories/11143/

The issue is also reported by TruSecure in an email advisory titled "Lotus Domino Server Multiple Vulnerabilities". There may be other advisories containing the same information.

Answer

All three issues reported require that the attacker have ADMINISTRATOR access rights. If you are not already an authenticated server administrator, you cannot use the Web Administrator.

The "folder creation" issue that allows folders to be created outside the Domino data directory is not a Denial of Service (DOS) attack. It does not allow the user to delete or overwrite existing folders. The same is true of the "check if a file exists" issue. SPR # KSPR5X7NNX has been submitted to restrict access to the Domino data directory, but this is not a serious security issue.

The "Quick Console XSS" issue is completely non-existent. Code executing in the administrator's browser only comes from the server itself, therefore it doesn't matter what is entered in the quick console. JavaScript code that is sent to the server will result in a "command or option is not recognized" error because the server console does not understand JavaScript commands. It is unnecessary to perform input validation in the quick console because validation is done at the server and causes no harm.

Access to the Web Administrator (webadmin.nsf) is controlled both by ACLs on the database and in security settings in the Server document. Access is configured by a server administrator in the Server document. The HTTP server task ensures that administrators listed in the "Full Access Administrators" and "Administrators" fields in the Server document are also listed in the ACL of the database and keeps access synchronized. Customers should configure these settings in the Server document appropriately.



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus End of Support Products
Lotus Domino Server

Software version:

6.5.1

Operating system(s):

Windows

Reference #:

1163845

Modified date:

2010-01-27

Translate my page

Machine Translation

Content navigation