The Lotus Domino Security Flaw - I have been hit by this, you have too I am sure.. you might just not have known it
I have always been fascinated by thinking a little bit like the "hacker" does, in a good way of course..I am the good guy trying to protect my customer :-)
What happens if I change this bit here ?..or if I use the application in a non-conventional way ? Am I covered security wise? or is there a door open here? ..
Lotus Notes and Domino is in general a good and secure platform, but sometimes IBM gets it wrong or you (or the "other guy") the developer make some bad design choices, which leaves holes in the security.
Today I will a tell you about a flaw in Domino which in a worse case scenario could lead to data getting modified or deleted by the user.
Data which the user wasn't even supposes to have access to!
So here it is ..the Lotus Domino Security Flaw:
- Create a new plain form
- Add some fields (text, editable)
- Create a Save button
- Open it in a browser
- Fill in some data
- Save the document
This is what get saved:
This is perfect!
Now you decide that the field "c" is only for the Notes client, not for the browser.
Maybe the admin uses the Notes client and need access to more fields than the regular web user.
So you hide the "c" field from the web user with a "hide-when" formula.
In the browser it looks like this now :
Source code from the browser:
<form method="post" action="/demo/demo.nsf/demo1!OpenForm&Seq=1" name="_demo1">
<input name="__Click" value="C1257680003052A0.7c02b277003fcd41c125768000305ca4/$Body/0.2E6" type="hidden">
<input name="a" value="">
<input name="b" value="">
<input value="Save" onclick="return _doClick('C1257680003052A0.7c02b277003fcd41c125768000305ca4/$Body/0.340', this, null)" type="button">
</form>
So everything is fine and the way we want it?
No it is not :-)
Tomorrow I will show you where the security flaw is..
Posted on 12/02/2009 01:52:07 PM CET
Show Comments(2)
Create Comment