Technote Number: 1163845
Problem:
All three issues reported require that the attacker have ADMINISTRATOR access
rights. If you are not already an authenticated server administrator, you
cannot use the Web Administrator.
The "folder creation" issue that allows folders to be created outside the
Domino data directory is not a Denial of Service (DOS) attack. It does not
allow the user to delete or overwrite existing folders. The same is true of
the "check if a file exists" issue. SPR # KSPR5X7NNX has been submitted to
restrict access to the Domino data directory, but this is not a serious
security issue.
The "Quick Console XSS" issue is completely non-existent. Code executing in
the administrator's browser only comes from the server itself, therefore it
doesn't matter what is entered in the quick console. JavaScript code that is
sent to the server will result in a "command or option is not recognized" error
because the server console does not understand JavaScript commands. It is
unnecessary to perform input validation in the quick console because validation
is done at the server and causes no harm.
Access to the Web Administrator (webadmin.nsf) is controlled both by ACLs on
the database and in security settings in the Server document. Access is
configured by a server administrator in the Server document. The HTTP server
task ensures that administrators listed in the "Full Access Administrators" and
"Administrators" fields in the Server document are also listed in the ACL of
the database and keeps access synchronized. Customers should configure these
settings in the Server document appropriately. More >
|  |
|
|
|
|
|