Webadmin.nsf Vulnerabilities Reported in Advisory
Is Lotus Domino vulnerable to the issues reported in the security advisory posted by Dr_insane titled "IBM Lotus Domino server 6.5.1 webadmin.nsf vulnerabilities"? The advisory address is as follows:
The issue is also reported by Secunia in their advisory titled "IBM Lotus Domino Server Quick Console Cross-Site Scripting". The advisory address is as follows:
The issue is also reported by TruSecure in an email advisory titled "Lotus Domino Server Multiple Vulnerabilities". There may be other advisories containing the same information.
All three issues reported require that the attacker have ADMINISTRATOR access rights. If you are not already an authenticated server administrator, you cannot use the Web Administrator.
The "folder creation" issue that allows folders to be created outside the Domino data directory is not a Denial of Service (DOS) attack. It does not allow the user to delete or overwrite existing folders. The same is true of the "check if a file exists" issue. SPR # KSPR5X7NNX has been submitted to restrict access to the Domino data directory, but this is not a serious security issue.
Access to the Web Administrator (webadmin.nsf) is controlled both by ACLs on the database and in security settings in the Server document. Access is configured by a server administrator in the Server document. The HTTP server task ensures that administrators listed in the "Full Access Administrators" and "Administrators" fields in the Server document are also listed in the ACL of the database and keeps access synchronized. Customers should configure these settings in the Server document appropriately.