(Vendor Provides Recommendation) Re: Lotus Domino Web Server Discloses User Account Validity Information to Remote Users
|
Date: Feb 19 2002
|
Impact: Disclosure of system information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5.0.8
|
Description: An information disclosure vulnerability was reported in the Lotus Domino web server. A remote user can obtain information about valid user account names on the server.
It is reported that a remote user can generate an HTTP GET request for a certain module that will return a different message depending
on whether the requested user account name exists or not.
For example, a remote user can request the following:
GET /mail/toto.nsf
HTTP/1.0
This will apparently redirect to the login page (with a "200 OK" HTTP code) if the user "toto" exists. If the user
"toto" does not exist, the server will apparently return "404 File not Found" error message.
A remote user can use this information
in mounting a brute force password guessing attack against the server.
|
Impact: A remote user can determine if specific user account names exist on the server.
|
Solution: Lotus has confirmed that a remote user can determine the validity of a user name by issuing a GET request for a user's mail file.
To
prevent this type of attack from being successful, Lotus reports that administrators can choose the "Fewer name variations with
higher security" Web server authentication option.
This can reportedly be configured as follows:
Go to the Security tab of
the Server document in the Domino Directory and under Web Server Access, select "Fewer name variations with higher security" as
the Web Server Authentication option.
Lotus says that another option is to name mail files randomly when registering users instead
of accepting the default file name, which is based on the user's name.
|
Vendor URL: www.ibm.com/support/manager.wss?rs=1&rt=0&org=sims&doc=221311F958D2575C85256B5A00814480 (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Windows (NT), Windows (2000)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 18 Feb 2002 19:52:25 -0500
Subject: Lotus Domino User Name Enumeration Vulnerability
|
Lotus Domino User Name Enumeration Vulnerability
Technotes Number: 191083
Lotus has issued a Technote regarding the report that a remote user can
determine the validity of a user name by issuing a GET request for a
user's mail file.
Lotus reports that this technique is based on the assumption that the
name of the user's mail file corresponds exactly to a valid user name
for authentication purposes. To prevent this type of attack from being
successful, administrators can choose the "Fewer name variations with
higher security" Web server authentication option.
This can reportedly be configured as follows:
Go to the Security tab of the Server document in the Domino Directory
and under Web Server Access, select "Fewer name variations with higher
security" as the Web Server Authentication option.
Lotus says that another option is to name mail files randomly when
registering users instead of accepting the default file name, which is
based on the user's name.
Lotus has indicated that the following conditions must be met for this
vulnerability to be exploitable:
- The server must be hosting publicly-accessible iNotes Web Access or
Webmail users. Unless a site is explicitly supporting Internet mail,
there is no reason to have mail files on the server.
- The name of the user's mail file must correspond exactly to the value
of the shortname field in the user's Person record.
- The Web server authentication option for the server is configured as
"More name variations with lower security" in the Server
- The remote user must be able to correctly guess the name of a user's
mail file
- The remote user must then be able to guess the user's password
This information is based on the following document:
http://www-1.ibm.com/support/manager.wss?rs=1&rt=0&org=sims&doc=221311F958D2575C85256B5A0
0814480
|
|
