× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. DOMINO400
  3. March 2016

Re: Anonymous access to domcfg.nsf, decsdoc.nsf, dolshelp.nsf, lccon.nsf, lsxlc.nsf, readme.nsf, and, HTTP Trace,

That's pretty standard.

For domcfg, you'll have to make some changes so that login screen images
will be able to be visible if you completely disable Anonymous. I'd say
leave Anonymous to just READER and they shouldn't be able to "modify" any
mappings. If IBM says that that's possible, then that means that IBM has a
MAJOR vulnerability that they need to fix if their own domcfg template
allows bypassing the ACL. Here's more information from IBM on that. If you
set Anonymous to No Access, you'll need to still allow reading public
documents. http://www-01.ibm.com/support/docview.wss?uid=swg21230037

Also, open up catalog.nsf and sort ACL by name. Look at Anonymous and make
sure that there are no other db's with anonymous allowed - set them all to
No Access.

For HTTP TRACE, that's a pretty common recommendation as well. You should
be OK changing that.


---------------------------------------------------

Thanks,
Chris
Personal Blog: http://cwhisonant.tk
Work Blog: https://www.socialbizug.org/blogs/lotusnut

On Wed, Mar 16, 2016 at 4:22 PM, Rob Berendt <rob@xxxxxxxxx> wrote:

We have IBM doing some benevolent hacking. They've come up with some
recommendations like the following:
Any problems with their recommendations

Description:
The Domino server has been configured to allow anonymous access to the
Domino Configuration Database (domcfg.nsf). This database would allow an
attacker to view and potentially modify URL mappings, URL redirection, and
other administrative functions of your Domino site.

Vulnerability Solution:
Open the database in the Lotus Notes client and edit the ACL.
Change the access level for Default and Anonymous to "No Access".
If this information is not critical for distribution to other domains,
also restrict access for OtherDomainServers to "No Access".
For all entries set to "No Access", also verify that the "Read public
documents" and "Write public documents" are unchecked. If not, access
will still be permitted for any public documents.



Description:
The HTTP TRACE method is normally used to return the full HTTP request
back to the requesting client for proxy-debugging purposes. An attacker
can create a webpage using XMLHTTP, ActiveX or XMLDOM to cause a client to
issue a TRACE request and capture the client's cookies. This effectively
results in a Cross-Site Scripting attack.

Vulnerability Solution:
Lotus Domino
Disable HTTP TRACE Method for Domino
Follow IBM's instructions for disabling HTTP methods on the Domino server
by adding the following line to the server's NOTES.INI file:
HTTPDisableMethods=TRACE
After saving NOTES.INI, restart the Notes web server by issuing the
console command "tell http restart".


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Lotus Domino on the IBM i (AS/400 and iSeries) (Domino400)
mailing list
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.