Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Previous Document Next Document

Domino Security - Disable HTTPEnableConnectorHeaders NOW

Thomas Hampel
 9 November 2015

There is a seucrity issue with Domino which allows anybody to gain access without authentication.
Jesper Kiaer wrote about this problem before in his blog post ( Part1 and Part2 ) and also created a video showing the problem.

If the Notes.ini variable HTTPEnableConnectorHeaders is set to 1, an attacker just needs to pass the user name he wants to be within a request header to get unauthorized access to Domino servers.
This notes.ini variable is referenced in the product documentation as well as in this technote for configuring Domino servers behind an IIS reverse proxy.

So there is a good chance that some people have enable this variable in production.
None of the Domino servers I have checked was affected, however I was able to reproduce the findings and can confirm it is working as described even with Domino 9.0.1 with latest fixes installed.

Steps to reproduce
  • Add the Notes.ini variable "HTTPEnableConnectorHeaders=1" to the Notes.ini of the Domino server
    Remark: This will make the server insecure.
  • Restart the HTTP task
  • Use Firefox and install this plugin => https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
  • Restart Firefox for the plugin to be initialized
  • In Firefox, open the configuration of the new plugin
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
  • Add a new header called $WSRU with the desired username / shortname as available in the target environment
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
    Save + Enable the configuration
  • Start the Plugin
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
  • Navigate to an existing Domino server resource, e.g. https://your-domino-server.your-domain.com/mail/username.nsf
Surprise, surprise... you now have access rights of the user name you have specified in the request header, in my case thats PaulSmith.
Just imagine what can be done when using the name of an administrator...

How to fix it?

Well, as simple as removing the Notes.ini variable in question, using the following two commands at the Domino server console:
set config HTTPEnableConnectorHeaders=0
tell http restart

Of course you would use a configuration document in production to keep your Notes.ini under control.

References:
Tagged with: Domino HTTPServer IBM
Comments

1.) Untitled

Markus Petzold http:// 25.11.2015 10:42:16

Checked on all Servers

Nothing found

Puh :-)

Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.