This presentation was by Jian Hui Wang (girl) who is a security professional, but “a nobody in NYC”.  Talking about Lotus Notes/Domino web application architecture and security features, web application common development mistakes and fixes, and test methodology.

Lotus Notes/Domino History

Lotus Notes is client and Domino is the server.  Supports multiple protocols with one interface (HTTP, LDAP, SMTP/POP/IMAP, file sharing).  Strong on workflow application and collaborative application.  Used by .gov, .edu, .com.  Google search shows 66 million notes databases facing the internet.  People use it because it’s easy to develop and deploy a simple application, granular access control, good logging method, and it integrates well with e-mails.

Notes Databases

Notes databse is building block of Domino application (.nsf or .ntf).  Notes Database is a container for data (document, message, web page), design elements (form, page, view, folder, navigator, agent, frameset, outline).

Two components in Domino server architecture.  There is an HTTP Server and a Domino Engine (URL Parser, Command Handler, and Database).

Web Access Syntax

  • http://host/data/base/NotesObject?Action&Arguments
  • Database = Notes Database
  • NotesObject  = the web accessible design element
  • Action = the action on NotesObject
  • Arguments = the qualifiers for the action (optional)

Notes Database Access Control List (ACL)

  • Define users and groups access privileges on the database
  • Seven access levels (manager, designer, editor, author, reader, depositor, and no access)
  • Eight access options for each level (create/delete documents, create/delete folders/views, create/delete agents, create/delete public documents)
  • Anonymous and -Default-
  • Maximum internet and password access: only works for name-password authentication but not for certificate authentication.  A web user cannot get the access greater than the “Maximum” access even if the access explicitly given is higher
  • Further restriction can be done by conjunction with reader field, author field, and access list of documents for granular read and write access control

Notes Web Authentication

  • Anonymous user – who does not have Person documents in DOmino Directory (names.nsf)
  • Authentication occurs if anonymous access is disabled on server configuration document and Notes objects
  • Name-password authentication: user/pass are authenticated to Person document and internet password in Domino directory (names.nsf).  Basic authentication and session-based authentication.  Internet password lockout function (Notes 8 only)
  • SSL client certificate authentication

Common Security Mistakes in Development

  1. Unauthorized Access: Anonymous access.  Anonymous privilege is assigned to Default access level if there is no anonymous group explicitly set.  Default access level is Designer and Maximum Internet and Password Access is Editor of most built-in templates.  Forceful browsing.  Solutions are to setup anonymous group and assign it “no access”.  Review the ACLs of all databases and confidential documents.
  2. Using Default Objects (Databases):  Default databases are statrep.nsf, schema.nsf, reports.nsf, names.nsf, log.nsf, events.nsf, doladmin.nsf, dbdirman.nsf certsrv.nsf, certlog.nsf, admin4.nsf, …  Anonymous users should not be allowed to access these databases.
  3. Default Objects (view): $DefautlView?OpenView, $DefaultNav?OpenNav, $DefaultForm?OpenForm, help?OpenHelp, $about?OpenAbout, $searchform?searchdomain, $searchform?searchsite, $searchform?searchview, $Icon?OpenIcon, $first, $file.  Solutions are to use the URL redirection and mapping on server document, customize the default pages, and apply the appropriate access control.
  4. SQL Injection: Places to process User Input (@Commands, WebQueryOpen, WebQuerySave, WebQueryClose, @URLQueryString, OpenAgent, RunAgent).  Solutions is input validation in fields by formula or lotus scripts
  5. Cross Site Scripting: Most cross site scripting vulnerabilities are persistent.  Solutions are to use input validaton or to HTMLencode.
  6. Session Management: By default uses basic authentication.  Username and password are sent in clear-text in teh packet of every request.  Solution is to configure the server document to use session-based authentication.  Do not append sensitive data to Querystring.
  7. Information Leakage: Hard coding username and password.  Solutions are to remove the sensitive information from the source code and log and customize the error message.
  8. Operating System Interaction: LotusScript has system commands such as Shell, OSLoadProgram, OSLoadLibrary, FileCopy, Open, Kill, Get, Input, Close.  Solution is to hardcode the path and validate the filename input.

Testing security is challenging but it can be done:

  • Lotus Notes Designer (Design Synopsis)
  • Grep
  • A good text editor
  • Paros

References

  • Secure Domino Application
  • Lotus Security Handbook