When you setup a new server in Domino 8.0 or later, you have the option of
setting the default to anonymous on all DBs created
If you server has been upgraded from prior versions, you would need to
manually change those settings.
Senior Software Engineer
02/16/2011 01:57 PM
Lotus Domino Default Database Unprotected
We've contracted with IBM to perform some threat analysis of our network.
We get these qualsys reports of our vulnerabilities.
One vulnerability is that people can access a series of default Domino
databases. Out of all these the only opening was domcfg.nsf.
We already have "Allow HTTP clients to browse databases:" set to No.
The admin client makes it nice to highlight groups of these databases and
To what should I set anonymous to? Keep in mind that this is a Domino
based quickr server.
If I create a new place in Quickr and it creates it's set of databases I
did check and see that these databases are No Access for anonymous -
that's good news.
Threat details below:
Level 3 Lotus Domino Default Database Unprotected port 80/tcp
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 04/28/2009
User Modified: -
Anonymous access was allowed on the Lotus Domino Databases that are listed
by stealing the database.
Enable access control with username and password on the database listed in
the results section below.
There is no exploitability information for this vulnerability.
There is no malware information for this vulnerability.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.