CYBSEC Advisory: Default Configuration Information Disclosure in Lotus Domino

Technote (FAQ)


Question

An advisory from CYBSEC raises three Lotus Domino server configuration issues that are discussed in this technote.

  1. Reader access to the Domino Directory (names.nsf)
  2. Hashing algorithm used to store the Internet password (HTTPPassword field)
  3. Ability to view the contents of hidden fields, including the HTTPPassword and $dspHTTPPassword

The advisory address is as follows:
This advisory has also been posted in these other sources:

Security Focus item titled "IBM Lotus Domino WebMail information disclosure
vulnerability" at the following address:

http://www.securityfocus.com/bid/14388/discuss

SearchDomino news article titled "Webmail opens hole in IBM Lotus Domino" at the following address:

http://searchdomino.techtarget.com/originalContent/0,289142,sid4_gci1111639,00.html

Related advisories have also been reported by other sources:
http://www.venera.com/downloads/Lotus_password_disclosures.pdf


Answer

By default, users must authenticate to the Domino Web server in order to gain reader access to the Domino Directory. In the ACL, Anonymous is set to "No Access" and Default is set to "Reader", which will force all users to authenticate.

Domino offers the choice of two algorithms for storing the Internet password in the Person record. The original format is a single unsalted hash. In Domino 4.6, a second format was introduced, known as the "More secure Internet password format," which is a salted hash. When using this format, the string "(355E98E7C7B59BD810ED845AD0FD2FC4)" will not be the hash for the string "password," and the hashed value will be different for every user who chooses the same password value. This format is not backwards-compatible with Domino R4.5, so all servers must be at R4.6 or higher. IBM Lotus strongly recommends the use of the "More secure Internet password format" for storing Internet passwords in the Domino Directory.

To upgrade existing Person documents, select the Person documents from the view and select Actions -> Upgrade to More Secure Internet Password Format. This action runs an agent to enforce the use of the salted hash. To ensure that the more secure Internet password format is used when creating new Person records, edit the Directory Profile from Actions -> Edit Directory Profile and select "Yes" for the "Use more secure Internet password format" field. This requires Domino 5.0.6 or higher.

To disable the display of hidden field values from View Source in the browser, open the Person Form in the Domino Designer. Select Design -> Form Properties. On the second tab, disable the option to "Generate HTML for all fields." When this setting is disabled, the values of all hidden fields on the document will not be displayed.

Hiding fields is not an access control mechanism, however, and field values can be accessed in other ways (for example, at the view level and from the Notes client). Extended ACLs were introduced in Domino 6.0 and can be used to apply access controls at the field level. This is a more effective means of protecting the values stored in a field. Refer to technote #1244808 for additional details on configuring xACLs to protect the Internet password fields.

Password-based authentication assumes a higher risk of attack than certificate-based authentication. These risks can be mitigated by adhering to the following recommendations:
1) Restrict anonymous access to the Domino Directory
2) Apply the more secure Internet password format for all users
3) Enforce the use of strong passwords/passphrases

Additional Information
Excerpt from the Domino Designer help topic titled "Selected Form Properties"


    Generating HTML for hidden fields

    On the Defaults tab of the Form Properties box, select "Generate HTML for all fields" to generate HTML information about hidden fields on a form. This allows documents in a Web application to work like documents in a Notes application. For example, if you create a form that relies on a hidden field for a calculation, that form may not behave as expected in a Web application in certain situations. By generating HTML for the fields, the information is available for Domino to successfully complete the calculation. The HTML generated for the hidden fields is also accessible through JavaScript, so you can change the value or find out the state of a hidden field with a script.

    Selecting this option creates larger files on the Web and may decrease application performance. Also consider security, since information in hidden fields, though not visible in the browser, is visible through the "View Source" menu item on the browser.

    On the Defaults tab, in the "On Web Access" section, check the option "Generate HTML for all fields" and deselect HTML in the Content type section.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus End of Support Products
Lotus Domino

Software version:

5.0, 6.0, 6.5, 7.0

Operating system(s):

AIX, Linux, OS/400, Solaris, Windows, i5/OS, z/OS

Reference #:

1212934

Modified date:

2005-09-20

Translate my page

Machine Translation

Content navigation