An advisory from CYBSEC raises three Lotus Domino server configuration issues that are discussed in this technote.
- Reader access to the Domino Directory (names.nsf)
- Hashing algorithm used to store the Internet password (HTTPPassword field)
- Ability to view the contents of hidden fields, including the HTTPPassword and $dspHTTPPassword
The advisory address is as follows:
This advisory has also been posted in these other sources:
Security Focus item titled "IBM Lotus Domino WebMail information disclosure
vulnerability" at the following address:
SearchDomino news article titled "Webmail opens hole in IBM Lotus Domino" at the following address:
Related advisories have also been reported by other sources:
By default, users must authenticate to the Domino Web server in order to gain reader access to the Domino Directory. In the ACL, Anonymous is set to "No Access" and Default is set to "Reader", which will force all users to authenticate.
Domino offers the choice of two algorithms for storing the Internet password in the Person record. The original format is a single unsalted hash. In Domino 4.6, a second format was introduced, known as the "More secure Internet password format," which is a salted hash. When using this format, the string "(355E98E7C7B59BD810ED845AD0FD2FC4)" will not be the hash for the string "password," and the hashed value will be different for every user who chooses the same password value. This format is not backwards-compatible with Domino R4.5, so all servers must be at R4.6 or higher. IBM Lotus strongly recommends the use of the "More secure Internet password format" for storing Internet passwords in the Domino Directory.
To upgrade existing Person documents, select the Person documents from the view and select Actions -> Upgrade to More Secure Internet Password Format. This action runs an agent to enforce the use of the salted hash. To ensure that the more secure Internet password format is used when creating new Person records, edit the Directory Profile from Actions -> Edit Directory Profile and select "Yes" for the "Use more secure Internet password format" field. This requires Domino 5.0.6 or higher.
To disable the display of hidden field values from View Source in the browser, open the Person Form in the Domino Designer. Select Design -> Form Properties. On the second tab, disable the option to "Generate HTML for all fields." When this setting is disabled, the values of all hidden fields on the document will not be displayed.
Hiding fields is not an access control mechanism, however, and field values can be accessed in other ways (for example, at the view level and from the Notes client). Extended ACLs were introduced in Domino 6.0 and can be used to apply access controls at the field level. This is a more effective means of protecting the values stored in a field. Refer to technote #1244808 for additional details on configuring xACLs to protect the Internet password fields.
Password-based authentication assumes a higher risk of attack than certificate-based authentication. These risks can be mitigated by adhering to the following recommendations:
1) Restrict anonymous access to the Domino Directory
2) Apply the more secure Internet password format for all users
3) Enforce the use of strong passwords/passphrases
Excerpt from the Domino Designer help topic titled "Selected Form Properties"
Generating HTML for hidden fields
Selecting this option creates larger files on the Web and may decrease application performance. Also consider security, since information in hidden fields, though not visible in the browser, is visible through the "View Source" menu item on the browser.
On the Defaults tab, in the "On Web Access" section, check the option "Generate HTML for all fields" and deselect HTML in the Content type section.