Re: Lotus Domino Default Database Unprotected -- DOMINO400

When you setup a new server in Domino 8.0 or later, you have the option of
setting the default to anonymous on all DBs created
If you server has been upgraded from prior versions, you would need to
manually change those settings.

Walter Scanlan
Senior Software Engineer
Office: 507-286-6088
Cell: 507-990-4539

From:
rob@xxxxxxxxx
To:
domino400@xxxxxxxxxxxx
Date:
02/16/2011 01:57 PM
Subject:
Lotus Domino Default Database Unprotected
Sent by:
domino400-bounces+wscanlan=us.ibm.com@xxxxxxxxxxxx

We've contracted with IBM to perform some threat analysis of our network.
We get these qualsys reports of our vulnerabilities.
One vulnerability is that people can access a series of default Domino
databases. Out of all these the only opening was domcfg.nsf.
We already have "Allow HTTP clients to browse databases:" set to No.
The admin client makes it nice to highlight groups of these databases and
modify anonymous.
To what should I set anonymous to? Keep in mind that this is a Domino
based quickr server.
If I create a new place in Quickr and it creates it's set of databases I
did check and see that these databases are No Access for anonymous -
that's good news.

Threat details below:

Level 3 Lotus Domino Default Database Unprotected port 80/tcp
QID: 10058
Category: CGI
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 04/28/2009
User Modified: -
Edited: No
THREAT:
Anonymous access was allowed on the Lotus Domino Databases that are listed

in the results section. These databases enable users to view logs,
manage users, manage certificates, etc.
We have checked for anonymous access on the following databases:
admin4 database.
webadmin database.
certlog database.
log database.
names database.
catalog database.
domcfg database.
domlog database.
ccnotbb database.
clubusy database.
statrep database.
nntppost database.
nd000002 database.
nd000001 database.
nd000000 database.
smtpobwq database.
smtpibwq database.
mailobj database.
mtatbls database.
madman database.
x400log database.
mailobj1 database.
mtaforms database.
billing database.
dspug database.
events4 database.
events database.
reports database.
reports4 database.
report4 database.
statmail database.
AgentRunner database.
certsrv database.
busytime database.
cpa database.
decsadm database.
ssw database.
certca database.
unames database.
ssladmin database.
decomsrv database.
dba4 database.
dsgnsyn database.
loga4 database.
clusta4 database.
tmparchv database.
DBLIB4 database.
dblib4 database.
userreg database.
user.id database.
ispy50 database.
mtstore database.
INCONFIG database.
inconfig database.
modems database.
schema50 database.
closingbill database.
userobj database.
opendominoserver database.
getdominoiisstats database.
setup database.
setupweb database.
cldbdir database.
srchsite database.
redir database.
perweb database.
resources database.
Contacts1 database.
Search database.
search database.
Admin database.
admin database.
Main database.
master database.
web database.
homepage database.
webadmin database.
IMPACT:
Unauthorized users can gather sensitive information, such as
authentication certificates for users, custom database names, logfiles and

schedules,
by stealing the database.
SOLUTION:
Enable access control with username and password on the database listed in

the results section below.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
domcfg database.

Rob Berendt