The Security Issue
In Part One I wrote that is recommended by IBM to set "HTTPEnableConnectorHeaders=1" in the notes.ini file when having a Reverse Proxy, IBM HTTP server etc in front of a IBM Domino server
This makes the Domino accept and understand some predefined HTTP request header fields.
One of the predefined HTTP Header fields is:
$WSRU: "The remote user specified for the given request"
When IBM decided that the IBM Websphere server and the IBM Domino server should work together, (meaning access "old" Domino data via the Websphere server) they chose to do it in a "convenient" way, but from a security standpoint .. a horrible way .
You would most likely authenticate and log in at the Websphere server and if needed you could then access a Domino server by the Websphere server adding some predefined data to HTTP headers when sending the the request to the Domino server.
However IBM thought that since you had already authenticated on the Websphere server, you should not need to authenticate again on the Domino server.
Instead of making a proper secure solution they decided that just by adding the username to the $WSRU HTTP header field in the request to the Domino server, it should accept this as the user and give the user access to the server.
What do this mean?
It means that if "HTTPEnableConnectorHeaders=1" is set in the notes.ini file
ANYONE can impersonate who ever they want in the Domino Directory!! ...why not go for an administrator with full access? :-)
All you need is a username or maybe even just a shortname, ....NO password is needed !!
You just need to set the HTTP header field $WSRU in the HTTP request to Domino server
The simplest way to test this elevated access is to use an "add on" your browser which adds HTTP header fields to your requests to the IBM Domino server.
This is not a bug
This is not a security bug and anything like it.
It is (in IBM lingo) "working as intended" .. just in this case a horrible design and implementation.
To show you that is in fact true what I am claiming ...I have made this short video showing the security issues in IBM Domino.
So you think you can lock down you Domino anyway?
Well you could do something like
- setting a Firewall to only accept HTTP from the Reverse Proxy
- locking down network interface to Localhost
but it is not going to seal off your Domino server.
Anything on the server with HTTP capabilities still have full elevated access with no need for password. This could be Agents, XPages, server scripts..you name it
One tiny error in you trying to seal every HTTP hole and.....
Believe me this not the route you want to go.
Setting "HTTPEnableConnectorHeaders=0" in the Administrator
You should always use the administrator to set notes.ini variables via Configurations documents.
In case someone changes values directly in the notes.ini file it will get overridden and corrected again when the server is restarted from the values in the Configuration documents .
Go to the Configurations tab.
If there is no Configuration document for all servers (*) consider creating one. Otherwise you must edit the configuration documents for each server.
for all servers
Goto to the NOTES.INI tab
Click the Set/Modify button
Either select the present setting for HTTPEnableConnectorHeaders if you have one or create a new one.
set it to 0 and save.
Restart the servers when appropriate
Published by: Jesper B. Kiær at 29-10-2015 00:21:00 Full Post
IBM has lately been playing a "catch up" game in regards to security with IBM Domino. With Poodle, Heartbleed etc. IBM has been busy with fixes for IBM Domino, but it is mess for Administrators to fix issues and only version 9 of IBM Domino is being fully fixed.
This means that many have been using a Reverse Proxy, like Nginx, HAProxy or the included IBM HTTP Web Server in front of the IBM Domino server as a fix.
There are lots of good guides how to setup a Reverse Proxy in front of IBM Domino.
Jesse Gallagher has written several good guides like this guide on how to use Nginx with IBM Domino.
IBM has several guides how to install the IBM HTTP Server with Domino
All the guides refer to the setting in the Notes.ini you must set on the IBM Domino server
The setting comes from "way back when" (R6) IBM decided to ditch IBM Domino for IBM Websphere.
IBM wanted to customers to buy IBM Webphere servers instead of Lotus Domino servers, but customers had of course still Domino servers around for years so IBM decided that the users should be able to connect to the Domino server via the Webphere servers.
Like sort of a Reverse Proxy.
IBM then defined several special fields to be sent in the HTTP headers from the Websphere server to the Domino server to make them work together.
|$WSAT: The Auth Type that is being used to make this request.|
$WSCC: The Client Certificate used for this request. If the value is not base64 encoded for us by the Web server, then the plug-in will base64 encode it before sending it across to the application server.
Restriction: If you enable this, it is assumed you know what you’re doing, and how to protect direct access to the port at which the embedded http is listening.
Note: If you set the LogLevel to TRACE in the plugin XML config file, it is possible to see what headers are actually added for a given request. Appendix C. Domino 6 HTTP plug-in hints and tips 659
$WSCS: The cipher suite that the Web server negotiated with the client. This is not necessarily the cipher suite that the plug-in will use to send the request across to the application server.
$WSIS: This header will be set to either True or False depending on whether or not the request is secure (came in over SSL/TLS).
$WSSC: The scheme being used for the request. This header will normally be set to either http or https.
$WSPR: The HTTP protocol level being used for this request. The plug-in currently has support for up to HTTP/1.1 requests.
$WSRA: The remote IP address of the machine the client is running on.
$WSRH: The remote host name of the machine the client is running on. If the hostname can't be resolved, this header should be set to the IP address.
$WSRU: The remote user specified for the given request.
$WSSN: The server name used for this request. This should be the value that was specified in the HOST header of the incoming request.
$WSSP: The server port that the request was received on. This will be the port value that is used in route determination.
$WSSI: The SSL Session ID being used for this request. If the value is not base64 encoded for us by the Web server, the plug-in will base64 encode it before sending it across to the application server.
If HTTPEnableConnectorHeaders=1 was set in notes.ini the Domino server would then read these headers when accessing the Domino server via HTTP
In my next blogentry I will tell you why this was a horrible idea and it leaves Domino wide open.
I can tell you already that you should go and set HTTPEnableConnectorHeaders=0 on all your servers now.
Lastly ....I will in another blogentry show that you actually don't need to have this setting enabled in Domino to have a fully functional Reverse Proxy server in front of a IBM Domino server.
Published by: Jesper B. Kiær at 28-10-2015 10:35:00 Full Post
In rolling out FP 4 for IBM Notes 9.0.1 at a customer I discovered several had issues.
The issues were that the Notes Client would completely freeze, or only redraw itself partly, or wrongly when working in the client.
Downgrading to FP 3 eliminated all the issues.
Beware of the new version of FP 4 for Domino with the missing file included has been released ( with same name)
Published by: Jesper B. Kiær at 17-07-2015 14:39:00 Full Post
At a customer of mine we have a Domino backup solution built upon the OpenNTF kNBackup open source solution.
It has been working great for years, but we will be upgrading the servers to 64 bit Domino soon, so we had a bit of an issue since kNBackup only runs as 32 bit.
So I got my customer to sponsor development of a 64 bit solution from the 32 bit version.
We ended up with Ulrich Krause doing the job ...and he did a great job! :- )
We found a few bugs on the way and Ulrich quickly ironed them out.
It runs great and fast on both 64 bit Linux and Windows now.
My customer fully supports Open Source solutions so go and grab the new 64 version (and 32 bit) at the new project Ulrich Krause has created at OpenNTF
Published by: Jesper B. Kiær at 06-07-2015 12:36:27 Full Post
now concludes 14 out of 11 are spilling sensitive information ..
That is of the charts scary data ;-)
what is next 100 out of 20 ....?
Published by: Jesper B. Kiær at 01-07-2015 18:05:35 Full Post
There is a lot of good stuff implemented in the IBM Domino database and it is very stabile.
There is though a very very important piece missing.
There are so many ways to create and save documents in IBM Domino today, from a form, an agent, via DIIOP, via REST, from an XPage ... you name it!
If you don't have the gatekeeper watching at the document level it is impossible to audit and control what is going on.
IBM ..Please add events/hooks for when a document is saved, opened etc.
The NSF has some LS hooks/events (Database Script) for deletion of documents (and some other bizarre ones), so I would presume it would possible to add hooks/events for the rest too without to much effort.
This has a very high priority!
OrientDB is in some ways (and in others not) a more modern version of the Domino NSF.
It has 2 types of hooks (Dynamic and Java hooks) http://orientdb.com/docs/last/Hook.html
"onBeforeCreate, called before creating a new document
onAfterCreate, called after creating a new document
onBeforeRead, called before reading a document
onAfterRead, called after reading a document
onBeforeUpdate, called before updating a document
onAfterUpdate, called after updating a document
onBeforeDelete, called before deleting a document
onAfterDelete, called after deleting a document "
Published by: Jesper B. Kiær at 02-06-2015 22:56:00 Full Post