When you setup a new server in Domino 8.0 or later, you have the option of
setting the default to anonymous on all DBs created
If you server has been upgraded from prior versions, you would need to
manually change those settings.
Walter Scanlan
Senior Software Engineer
Office: 507-286-6088
Cell: 507-990-4539
From:
rob@xxxxxxxxx
To:
domino400@xxxxxxxxxxxx
Date:
02/16/2011 01:57 PM
Subject:
Lotus Domino Default Database Unprotected
Sent by:
domino400-bounces+wscanlan=us.ibm.com@xxxxxxxxxxxx
We've contracted with IBM to perform some threat analysis of our network.
We get these qualsys reports of our vulnerabilities.
One vulnerability is that people can access a series of default Domino
databases. Out of all these the only opening was domcfg.nsf.
We already have "Allow HTTP clients to browse databases:" set to No.
The admin client makes it nice to highlight groups of these databases and
modify anonymous.
To what should I set anonymous to? Keep in mind that this is a Domino
based quickr server.
If I create a new place in Quickr and it creates it's set of databases I
did check and see that these databases are No Access for anonymous -
that's good news.
Threat details below:
Level 3 Lotus Domino Default Database Unprotected port 80/tcp
QID: 10058
Category: CGI
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 04/28/2009
User Modified: -
Edited: No
THREAT:
Anonymous access was allowed on the Lotus Domino Databases that are listed
schedules,
by stealing the database.
SOLUTION:
Enable access control with username and password on the database listed in
the results section below.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
domcfg database.
Rob Berendt
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.