L0pht Security Advisory Released December 12, 1996 Application: Lotus Domino 1.5 Vulnerability Scope: Sites running Domino Severity: Data can be edited or deleted if permissions not set properly. Data can be entered using the identity of another user. Author: Weld Pond Scenario: Lotus Domino is a web interface which allows users to access Lotus Notes databases via HTTP. Many Domino sites on the Internet have incorrect permissions granted to anonymous or registered users. Some Domino web sites have relied on the design of their web pages to keep users from accessing the commands to edit and delete documents. This can be bypassed by editing the URL for the Domino web site. Once an edit form is obtained, it is possible to enter data under the identity of another user. Server side scripting associated with that document will be executed. Details: A Domino URL is broken into several parts. The IP address, the database path, an unknown ID (in hex), a document ID (in hex) and then the command. In the example below the command is OpenDocument http://199.99.99.99/database.nsf/e1466a8590/6048076233?OpenDocument (The hex strings have been shortened in this example. They are actually 32 chars each.) A Domino page for displaying a document may have hyperlinks that link to commands to edit or delete the document. We have found many web sites where these hyperlinks have been left out to keep users from editing the documents. You can edit the URL in your browser to recreate the links that have been left out. If the permissions on the document are not configured properly to deny edit permission or deny delete permission then you will be able to edit or delete the document. If the Domino site has permissions set to deny editing, you may still be presented with the edit form for the document. You will not be able to submit your edits however. Sometimes the edit form contains information not visible in the display version of the document. This is often the case since it is assumed that this page was inaccessible by not providing the edit link. To edit the document in the example above, replace the OpenDocument command at the end of the URL with EditDocument. To delete a document replace it with DeleteDocument. Examples: http://199.99.99.99/database.nsf/e146fa8590/6148076233?EditDocument http://199.99.99.99/database.nsf/e146fa8590/6148076233?DeleteDocument Assuming anothers identity You can assume the identity of another user by creating your own edit form by saving the HTML for an edit form for a document to your local disk, editing the document ID to that of a document created by another user, and submitting the new form from your browser. The new document will appear in Domino to be submitted by the assumed user. Get to an edit form by creating a new document or editting one of your own. Or, if you don't have permission, use one of the methods outlined above. Save this to disk. It will have a HTTP POST command in it like this:
(the hex values have been shortened from 32 characters) First add in the absolute address for the Domino site to the beginning of the URL like this: Replace the hex value before ?SaveDocument with the hex value from a document created by another user. This will appear in the URL to display another document as in the examples above. Save the file and load it into your browser. Now fill in the form and use the submit button. A new document will appear in the Domino database as entered by the assumed identity.