Thomas Hampel

 9 November 2015
There is a seucrity issue with Domino which allows anybody to gain access without authentication.
Jesper Kiaer wrote about this problem before in his blog post ( Part1 and Part2 ) and also created a video showing the problem.

If the Notes.ini variable HTTPEnableConnectorHeaders is set to 1, an attacker just needs to pass the user name he wants to be within a request header to get unauthorized access to Domino servers.
This notes.ini variable is referenced in the product documentation as well as in this technote for configuring Domino servers behind an IIS reverse proxy.

So there is a good chance that some people have enable this variable in production.
None of the Domino servers I have checked was affected, however I was able to reproduce the findings and can confirm it is working as described even with Domino 9.0.1 with latest fixes installed.

Steps to reproduce

• Add the Notes.ini variable "HTTPEnableConnectorHeaders=1" to the Notes.ini of the Domino server
  Remark: This will make the server insecure.
• Restart the HTTP task
• Use Firefox and install this plugin => https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
• Restart Firefox for the plugin to be initialized
• In Firefox, open the configuration of the new plugin
  
• Add a new header called $WSRU with the desired username / shortname as available in the target environment
  
  Save + Enable the configuration
• Start the Plugin
  
• Navigate to an existing Domino server resource, e.g. https://your-domino-server.your-domain.com/mail/username.nsf

Surprise, surprise... you now have access rights of the user name you have specified in the request header, in my case thats PaulSmith.
Just imagine what can be done when using the name of an administrator...

How to fix it?
Well, as simple as removing the Notes.ini variable in question, using the following two commands at the Domino server console:

Of course you would use a configuration document in production to keep your Notes.ini under control.

References:

• Nevermind.dk - http://nevermind.dk/
• Sean Cull - Apache Proxy for Domino and HTTPEnableConnectorHeaders
• Darren Duke  - If you get page errors after disabling HTTPEnableConnectorHeaders in Domino, try this
• Jesse Gallagher - Domino's Server-Side User Security