We have IBM doing some benevolent hacking. They've come up with some
recommendations like the following:
Any problems with their recommendations

Description:
The Domino server has been configured to allow anonymous access to the
Domino Configuration Database (domcfg.nsf). This database would allow an
attacker to view and potentially modify URL mappings, URL redirection, and
other administrative functions of your Domino site.

Vulnerability Solution:
Open the database in the Lotus Notes client and edit the ACL.
Change the access level for Default and Anonymous to "No Access".
If this information is not critical for distribution to other domains,
also restrict access for OtherDomainServers to "No Access".
For all entries set to "No Access", also verify that the "Read public
documents" and "Write public documents" are unchecked. If not, access
will still be permitted for any public documents.



Description:
The HTTP TRACE method is normally used to return the full HTTP request
back to the requesting client for proxy-debugging purposes. An attacker
can create a webpage using XMLHTTP, ActiveX or XMLDOM to cause a client to
issue a TRACE request and capture the client's cookies. This effectively
results in a Cross-Site Scripting attack.

Vulnerability Solution:
Lotus Domino
Disable HTTP TRACE Method for Domino
Follow IBM's instructions for disabling HTTP methods on the Domino server
by adding the following line to the server's NOTES.INI file:
HTTPDisableMethods=TRACE
After saving NOTES.INI, restart the Notes web server by issuing the
console command "tell http restart".


Rob Berendt

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].