Lotus Security Part III

1,023 views

Published on

Building Rock Solid Lotus Domino Security
Part III

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,023
On SlideShare
0
From Embeds
0
Number of Embeds
58
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lotus Security Part III

  1. 1. Lotus Domino Building Rock Solid Security © Sanjaya Kumar Saxena Part - III
  2. 2. Domino Security Application Perspective © Sanjaya Kumar Saxena
  3. 3. Recommended Input Validation © Sanjaya Kumar Saxena Remove Null Characters like java0script Convert all tabs to spaces Compact exploded words j a v a s c r i p t Remove disallowed javascript in links, image or div tags Remove javascript event handlers like onClick etc. Sanitize naughty html elements like <blink> becomes &lt;blink&gt; Escape all quotes like ‘xxxx’ becomes ’xxxx’ Sanitize naughty scripting elements like converting parenthesis to entities like eval(‘xxxx’) becomes eval(‘xxxx’)
  4. 4. Things to Avoid © Sanjaya Kumar Saxena Leaving a host server vulnerable to browsing Failing to set access rights to databases correctly Relying on database launch properties to secure data Relying on empty view templates to prevent access to sensitive documents Relying on hidden views to protect sensitive information Using form formulas in place of Domino security Failing to prevent unwanted searches of your database Leaving application agents vulnerable to being invoked by browser users
  5. 5. Application Data Security © Sanjaya Kumar Saxena Encryption of Local Databases Don't encrypt server based databases Use named encryption keys shared between all users who should be able to access this information Even administrators cannot read this information Encrypt local databases on notebooks Domino allows to force local encryption for client databases via policy/local setting Will not provide additional security unless you protect your server.id ! Could have impact on performance specially when using "strong" mode But could see the encrypted items - and still support users in case of problems To be enabled on application level, Developers & Administrators need to work collaborate
  6. 6. Application Data Security © Sanjaya Kumar Saxena Caveats for Encryption Don't import those key into the server.id until you really need it Encrypted fields cannot be used in views! Make sure someone has a backup copy of public encryption key Users could read encrypted data too when they have access. In case of external-archiving you might need an extra server without any user access or a separate ID accessing the databases Make sure user cannot redistribute encryption keys
  7. 7. Domino 7.x Vulnerabilities Report © Sanjaya Kumar Saxena
  8. 8. XSS/Buffer Overflow © Sanjaya Kumar Saxena Release Date: 2008-05-21 Impact: XSS / DoS / System Access From where: Remote Solution: Update to version 7.0.3 Fix Pack 1 (FP1) or 8.0.1. http://secunia.com/advisories/30310/
  9. 9. Denial of Service © Sanjaya Kumar Saxena Release Date: 2008-01-10 Impact: DoS From where: Remote Solution: Update to version 7.0.2 Fix Pack 3. http://secunia.com/advisories/28411/
  10. 10. Web Access Control/ActiveX Control © Sanjaya Kumar Saxena Release Date: 2007-12-21 Impact: System Access From where: Remote Solution: (Partial Fix) The "Mail_MailDbPath" vulnerability is reportedly fixed in Web Access ver 6.5.6, 7.0.3, and 8.0. The "General_ServerName" vulnerability will reportedly be fixed in Web Access ver 8.0.1 http://secunia.com/advisories/28184/
  11. 11. XSS © Sanjaya Kumar Saxena Release Date: 2007-11-02 Impact: Unknown From where: Remote Solution: Update to version 6.5.6 Fix Pack 2 (FP2), 7.0.2 Fix Pack 2 (FP2), 7.0.3, or 8.0. http://secunia.com/advisories/27509/
  12. 12. Multiple Vulnerabilities © Sanjaya Kumar Saxena Release Date: 2007-10-23 Impact: Sensitive Information Exposure / System Access From where: Remote Solution: Update to version 7.0.3 or 8.0. http://secunia.com/advisories/27321/
  13. 13. Agent Signature Verification © Sanjaya Kumar Saxena Release Date: 2007-06-05 Impact: Privilege Escalation From where: Local Network Solution: Update to version Domino 6.5.6 Fix Pack 2 (FP2), Domino 7.0.2 Fix Pack 2 (FP2), Domino 7.0.3, or Domino 8.0. http://secunia.com/advisories/25520/
  14. 14. Unspecified DoS © Sanjaya Kumar Saxena Release Date: 2007-06-04 Impact: DoS From where: Remote Solution: Update to Lotus Domino 7.0.3 or Lotus Domino 7.0.2 Fix Pack 2 (FP2). http://secunia.com/advisories/25542/
  15. 15. Script Insertion & Buffer Overflow © Sanjaya Kumar Saxena Release Date: 2007-03-28 Impact: XSS / DoS From where: Remote Solution: Update to version 6.5.5 Fix Pack 3 (FP3), 6.5.6, or 7.0.2 Fix Pack 1. http://secunia.com/advisories/24633/
  16. 16. tunekrnl Privilege Escalation © Sanjaya Kumar Saxena Release Date: 2006-11-09 Impact: Privilege Escalation From where: Local System Solution: Update to version 6.5.5 Fix Pack 2 (FP2) or 7.0.2. http://secunia.com/advisories/22724/
  17. 17. NRPC Information Disclosure © Sanjaya Kumar Saxena Release Date: 2006-11-09 Impact: Sensitive Information Exposure From where: Local Network Solution: Update to version 6.5.5 Fix Pack 2 (FP2) or 7.0.2 and configure the "BLOCK_LOOKUPID" variable in the server's "notes.ini" file (see the vendor's advisory for details). http://secunia.com/advisories/22741/
  18. 18. Multiple Vulnerabilities © Sanjaya Kumar Saxena Release Date: 2006-03-10 Impact: XSS / DoS From where: Remote Solution: Update to version 6.5.5 or 7.0.1. http://secunia.com/advisories/16340/
  19. 19. LDAP DoS © Sanjaya Kumar Saxena Release Date: 2006-03-07 Impact: DoS From where: Local Network Solution: (Unpatched) Restrict access to the LDAP service. http://secunia.com/advisories/18738/
  20. 20. In Addition © Sanjaya Kumar Saxena Many of these vulnerabilities are also present in 8.x and 6.x As of now, one further vulnerability has been reported for 8.x in 2009 31 advisories exist for 6.x, of which 4 remain unpatched. Of these four, one is a highly critical vulnerability.

×