We have IBM doing some benevolent hacking. They've come up with some
recommendations like the following:
Any problems with their recommendations
The Domino server has been configured to allow anonymous access to the
Domino Configuration Database (domcfg.nsf). This database would allow an
attacker to view and potentially modify URL mappings, URL redirection, and
other administrative functions of your Domino site.
Open the database in the Lotus Notes client and edit the ACL.
Change the access level for Default and Anonymous to "No Access".
If this information is not critical for distribution to other domains,
also restrict access for OtherDomainServers to "No Access".
For all entries set to "No Access", also verify that the "Read public
documents" and "Write public documents" are unchecked. If not, access
will still be permitted for any public documents.
The HTTP TRACE method is normally used to return the full HTTP request
back to the requesting client for proxy-debugging purposes. An attacker
can create a webpage using XMLHTTP, ActiveX or XMLDOM to cause a client to
issue a TRACE request and capture the client's cookies. This effectively
results in a Cross-Site Scripting attack.
Disable HTTP TRACE Method for Domino
Follow IBM's instructions for disabling HTTP methods on the Domino server
by adding the following line to the server's NOTES.INI file:
After saving NOTES.INI, restart the Notes web server by issuing the
console command "tell http restart".
IBM Certified System Administrator - IBM i 6.1
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
Kendallville, IN 46755
This is the Lotus Domino on the IBM i (AS/400 and iSeries) (Domino400)
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives