You should also turn off "Read Public Documents" and "Write Public Documents" because these settings apply even when the ACL is otherwise set to No Access. In addition, the posted script will give false positives on many Domino servers on which requests for sensitive databases will automatically redirect to the Login page (with a "200 OK" HTTP message). There are literally hundreds of default databases installed not only with the base Domino server but also with typical add-on features like DOLS, SameTime, QuickPlace, and LEI. Many of these have poor default ACLs. Allow me to give a blatant plug for NeXpose, Rapid 7's security scanning tool. It scans for over 170 Domino vulnerabilities (including the misconfigured ACLs of the databases I mentioned, buffer overflows, cross site scripting, etc.). NeXpose also has a nice feature of automatically pulling all the usernames and HTTP password hashes (in many cases) out of the server's NAB, if it has the default ACLs. You can download it from http://www.rapid7.com Also, you'll want to get the Falling Dominos presentation that Kevin McPeake and Chris Coggins have been giving at DEFCon. Do a Google search for Falling Dominos and you should be able to find it archived somewhere. Chad Loder Rapid 7, Inc. At Thursday 1/31/2002 08:03 PM +0000, you wrote: >This isn't a proof of concept, but more a probe for misconfigured database >ACL's. > >If a Domino web server doesn't have a redirection URL for /mail/* mail >files, then you rely on the access control for each mail file. > >Two things can be done to avoid this : > >1 - Change the ACL on sensitive databases ( /mail/* , names.nsf ) to : > Anonymous - No access > [Default] - No access > >2 - Within the Server Document for each server, ensure that "Allow HTTP >clients to browse databases:" is set to "No" > >I believe that all versions of Domino server from 4.5 upwards are >suceptible to badly configured ACL's. Any good administrator would have a >hold of this already. > > > >#!/usr/local/bin/php -q ><? > ><snip> > ></snip> > >fclose ($fd); > >?> ______________________________________ Chad Loder <chad@rapid7.com> Principal Engineer Rapid 7, Inc. <http://www.rapid7.com>
