mailing list archives
Re: L0pht 'Domino' Vulnerability is alive and well
From: paully () IBA COM BY (Pavel Ahafonau)
Date: Wed, 7 Jul 1999 18:09:52 +0200
This is a good known problem.
So. I'd just like to make some additionals to Lotus Notes/Domino advisory.
Usually Domino websites have some automation features. For example,
to add news article to webserver you should only create document by "NEWS"
form. Then the new article will appear at the news page of webserver. The
news page is organized as Lotus Notes/Domino view with design template
as special named form. To let anonymous web users access the news page
you should set anonymous access level as "Author" for entire Lotus
Notes/Domino database. But to prevent creating unnecessary documents by
anonymous you should add the field "SaveOptions" with value set to "0" to
view template form (ex., "($$ViewTemplate for news.html)" - view design
template for view named "news.html" also view template should have alias
name like "$$ViewTemplate for news.html"). For the "NEWS" form you should
set "Default read access to documents created with this form" for anonymous
and "Who can create documents with this form" for only that users, groups or
roles who should have this access but not for anonymous. For the view
template form "Who can create documents with this form" should contain also
anonymous user to let web users access automatically generated with
customized design view.
This also appliable to custom search forms, feedback forms and others with
the same goal (ex., navigator template forms). To allow web users (anonymous)
search through database anonymous access level should be set to "Author".
And the forms should have field "SaveOptions" with value set to "0".
Paully A. Ahafonau.