Security hole leaves IBM Domino server wide open - Part Two

The Security Issue

In Part One I wrote that is recommended by IBM to set "HTTPEnableConnectorHeaders=1" in the notes.ini file when having a Reverse Proxy, IBM HTTP server etc in front of a IBM Domino server
This makes the Domino accept and understand some predefined HTTP request header fields.
One of the predefined HTTP Header fields is:

$WSRU: "The remote user specified for the given request"

When IBM decided that the IBM Websphere server and the IBM Domino server should work together, (meaning access "old" Domino data via the Websphere server) they chose to do it in a "convenient" way, but from a security standpoint .. a horrible way .
You would most likely authenticate and log in at the Websphere server and if needed you could then access a Domino server by the Websphere server adding some predefined data to HTTP headers when sending the the request to the Domino server.
However IBM thought that since you had already authenticated on the Websphere server, you should not need to authenticate again on the Domino server.
Instead of making a proper secure solution they decided that just by adding the username to the $WSRU HTTP header field in the request to the Domino server, it should accept this as the user and give the user access to the server.

What do this mean?
It means that if "HTTPEnableConnectorHeaders=1" is set in the notes.ini file

ANYONE can impersonate who ever they want in the Domino Directory!! ...why not go for an administrator with full access? :-)

All you need is a username or maybe even just a shortname, ....NO password is needed !!
You just need to set the HTTP header field $WSRU in the HTTP request to Domino server
You can do that in one line in Javascript, Java ...even in Formula language in Notes/Domino

The simplest way to test this elevated access is to use an "add on" your browser which adds HTTP header fields to your requests to the IBM Domino server.

This is not a bug
This is not a security bug and anything like it.
It is (in IBM lingo) "working as intended" .. just in this case a horrible design and implementation.
To show you that is in fact true what I am claiming ...I have made this short video showing the security issues in IBM Domino.

So you think you can lock down you Domino anyway?
Well you could do something like

- setting a Firewall to only accept HTTP from the Reverse Proxy
- locking down network interface to Localhost

but it is not going to seal off your Domino server.

Anything on the server with HTTP capabilities still have full elevated access with no need for password. This could be Agents, XPages, server name it
One tiny error in you trying to seal every HTTP hole and.....

Believe me this not the route you want to go.

Setting "HTTPEnableConnectorHeaders=0" in the Administrator
You should always use the administrator to set notes.ini variables via Configurations documents.
In case someone changes values directly in the notes.ini file it will get overridden and corrected again when the server is restarted from the values in the Configuration documents .

Go to the Configurations tab.
If there is no Configuration document for all servers (*) consider creating one. Otherwise you must edit the configuration documents for each server.

for all servers

Goto to the NOTES.INI tab

Click the Set/Modify button

Either select the present setting for HTTPEnableConnectorHeaders if you have one or create a new one.

set it to 0 and save.

Restart the servers when appropriate

Posted on 09/28/2015 10:39:25 PM CEDT