Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Lotus Domino View ACL by-pass (#NISR29102001C)
From: Darren Davison <dd () edefl demon co uk>
Date: Wed, 31 Oct 2001 23:30:29 +0000

On Wednesday 31 October 2001 02:40, NGSSoftware Insight Security Research 

A Lotus Notes database contains documents which are organized into views.

to be more correct, the database contains documents which *can* be organized 
into views.  That's not to be pedantic, but it's crucial in understanding the 
relationship between the data and the design of the database.

Access control lists can be applied to the database itself, views and
documents. If a user has been denied access to a view, NISR have discovered
that it is possible to by-pass the permissions set on that view and access
the documents one would expect it to protect.

views do not, nor are they intended to protect the documents they 'contain', 
they are merely a convenience.  Hiding the view or restricting its access to 
certain users is simply an extension of that convenience.  Data (ie 
documents) are correctly protected by readers fields, document encryption or 
field level encryption.

From the online help of the Domino Designer client..
".. Users who are excluded from the access list will no longer see the view 
or folder in the View menu.  A view or folder read access list is not a true 
security measure."


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]