× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



When you setup a new server in Domino 8.0 or later, you have the option of
setting the default to anonymous on all DBs created
If you server has been upgraded from prior versions, you would need to
manually change those settings.


Walter Scanlan
Senior Software Engineer
Office: 507-286-6088
Cell: 507-990-4539




From:
rob@xxxxxxxxx
To:
domino400@xxxxxxxxxxxx
Date:
02/16/2011 01:57 PM
Subject:
Lotus Domino Default Database Unprotected
Sent by:
domino400-bounces+wscanlan=us.ibm.com@xxxxxxxxxxxx



We've contracted with IBM to perform some threat analysis of our network.
We get these qualsys reports of our vulnerabilities.
One vulnerability is that people can access a series of default Domino
databases. Out of all these the only opening was domcfg.nsf.
We already have "Allow HTTP clients to browse databases:" set to No.
The admin client makes it nice to highlight groups of these databases and
modify anonymous.
To what should I set anonymous to? Keep in mind that this is a Domino
based quickr server.
If I create a new place in Quickr and it creates it's set of databases I
did check and see that these databases are No Access for anonymous -
that's good news.

Threat details below:

Level 3 Lotus Domino Default Database Unprotected port 80/tcp
QID: 10058
Category: CGI
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 04/28/2009
User Modified: -
Edited: No
THREAT:
Anonymous access was allowed on the Lotus Domino Databases that are listed

in the results section. These databases enable users to view logs,
manage users, manage certificates, etc.
We have checked for anonymous access on the following databases:
admin4 database.
webadmin database.
certlog database.
log database.
names database.
catalog database.
domcfg database.
domlog database.
ccnotbb database.
clubusy database.
statrep database.
nntppost database.
nd000002 database.
nd000001 database.
nd000000 database.
smtpobwq database.
smtpibwq database.
mailobj database.
mtatbls database.
madman database.
x400log database.
mailobj1 database.
mtaforms database.
billing database.
dspug database.
events4 database.
events database.
reports database.
reports4 database.
report4 database.
statmail database.
AgentRunner database.
certsrv database.
busytime database.
cpa database.
decsadm database.
ssw database.
certca database.
unames database.
ssladmin database.
decomsrv database.
dba4 database.
dsgnsyn database.
loga4 database.
clusta4 database.
tmparchv database.
DBLIB4 database.
dblib4 database.
userreg database.
user.id database.
ispy50 database.
mtstore database.
INCONFIG database.
inconfig database.
modems database.
schema50 database.
closingbill database.
userobj database.
opendominoserver database.
getdominoiisstats database.
setup database.
setupweb database.
cldbdir database.
srchsite database.
redir database.
perweb database.
resources database.
Contacts1 database.
Search database.
search database.
Admin database.
admin database.
Main database.
master database.
web database.
homepage database.
webadmin database.
IMPACT:
Unauthorized users can gather sensitive information, such as
authentication certificates for users, custom database names, logfiles and

schedules,
by stealing the database.
SOLUTION:
Enable access control with username and password on the database listed in

the results section below.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
domcfg database.


Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.