Anonymous access to domcfg.nsf, decsdoc.nsf, dolshelp.nsf, lccon.nsf, lsxlc.nsf, readme.nsf, and, HTTP Trace,

We have IBM doing some benevolent hacking. They've come up with some
recommendations like the following:
Any problems with their recommendations

Description:
The Domino server has been configured to allow anonymous access to the
Domino Configuration Database (domcfg.nsf). This database would allow an
attacker to view and potentially modify URL mappings, URL redirection, and
other administrative functions of your Domino site.

Vulnerability Solution:
Open the database in the Lotus Notes client and edit the ACL.
Change the access level for Default and Anonymous to "No Access".
If this information is not critical for distribution to other domains,
also restrict access for OtherDomainServers to "No Access".
For all entries set to "No Access", also verify that the "Read public
documents" and "Write public documents" are unchecked. If not, access
will still be permitted for any public documents.



Description:
The HTTP TRACE method is normally used to return the full HTTP request
back to the requesting client for proxy-debugging purposes. An attacker
can create a webpage using XMLHTTP, ActiveX or XMLDOM to cause a client to
issue a TRACE request and capture the client's cookies. This effectively
results in a Cross-Site Scripting attack.

Vulnerability Solution:
Lotus Domino
Disable HTTP TRACE Method for Domino
Follow IBM's instructions for disabling HTTP methods on the Domino server
by adding the following line to the server's NOTES.INI file:
HTTPDisableMethods=TRACE
After saving NOTES.INI, restart the Notes web server by issuing the
console command "tell http restart".


Rob Berendt