| VID |
22211 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Lotus Domino server contains a default database that allows access by anonymous user remotely.
The Lotus Domino server is an application framework for web based collaborative software. It runs on multiple platforms including Windows and Unix. Default databases on the Lotus Domino server should be protected through appropriate authentication. However, due to the server's misconfiguration, anonymous users can gain access to these databases remotely. It results that a remote attacker can retrieve the sensitive information such as users, databases, configuration of servers (including operating system and hard disk partitioning), logs of access to users from default databases.
* References:
http://www.nextgenss.com/papers/hpldws.pdf
* Platforms Affected:
Lotus Domino Server Any version |
| Recommendation |
Verify all the ACLs for these databases and disable anonymous access to the database.
1. Open the Domino Administrator Client.
2. Select the "Database/Open" from "File" menu.
3. Choose the server containing the database to modify in the "Server" combo box.
4. Choose the database to modify in the "Database" section and click on the "Open" button.
5. Select the "Database/Open" from "File" menu.
6. Select the "Anonymous" or "-Default-" user under the "Peoples, Server, Groups" list.
7. Change the "Access" combo-box value to "No Access" and click on the "OK" button. |
| Related URL |
CVE-2000-0021,CVE-2002-0664 (CVE) |
| Related URL |
5101 (SecurityFocus) |
| Related URL |
10057 (ISS) |
|
