Enviar búsqueda
Cargar
Lotus Security Part III
•
0 recomendaciones
•
477 vistas
Sanjaya K Saxena
Seguir
Building Rock Solid Lotus Domino Security Part III
Leer menos
Leer más
Tecnología
Empresariales
Denunciar
Compartir
Denunciar
Compartir
1 de 20
Recomendados
Domino testing presentation
Domino testing presentation
dominion
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
44CON
Lotus Security Part I
Lotus Security Part I
Sanjaya K Saxena
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
jayeshpar2006
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012
44CON
IBM Meetings Training
IBM Meetings Training
Lisa Learned
Domino security
Domino security
dominion
Lotus Security Part II
Lotus Security Part II
Sanjaya K Saxena
Recomendados
Domino testing presentation
Domino testing presentation
dominion
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
44CON
Lotus Security Part I
Lotus Security Part I
Sanjaya K Saxena
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
jayeshpar2006
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012
44CON
IBM Meetings Training
IBM Meetings Training
Lisa Learned
Domino security
Domino security
dominion
Lotus Security Part II
Lotus Security Part II
Sanjaya K Saxena
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
Más contenido relacionado
Último
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Último
(20)
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Destacado
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
Skeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
Introduction to Data Science
Introduction to Data Science
Christy Abraham Joy
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
The six step guide to practical project management
The six step guide to practical project management
MindGenius
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
Destacado
(20)
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
Skeleton Culture Code
Skeleton Culture Code
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
How to have difficult conversations
How to have difficult conversations
Introduction to Data Science
Introduction to Data Science
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
The six step guide to practical project management
The six step guide to practical project management
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Lotus Security Part III
1.
Lotus Domino Building Rock
Solid Security © Sanjaya Kumar Saxena Part - III
2.
Domino Security Application Perspective ©
Sanjaya Kumar Saxena
3.
Recommended Input Validation ©
Sanjaya Kumar Saxena Remove Null Characters like java0script Convert all tabs to spaces Compact exploded words j a v a s c r i p t Remove disallowed javascript in links, image or div tags Remove javascript event handlers like onClick etc. Sanitize naughty html elements like <blink> becomes <blink> Escape all quotes like ‘xxxx’ becomes ’xxxx’ Sanitize naughty scripting elements like converting parenthesis to entities like eval(‘xxxx’) becomes eval(‘xxxx’)
4.
Things to Avoid ©
Sanjaya Kumar Saxena Leaving a host server vulnerable to browsing Failing to set access rights to databases correctly Relying on database launch properties to secure data Relying on empty view templates to prevent access to sensitive documents Relying on hidden views to protect sensitive information Using form formulas in place of Domino security Failing to prevent unwanted searches of your database Leaving application agents vulnerable to being invoked by browser users
5.
Application Data Security ©
Sanjaya Kumar Saxena Encryption of Local Databases Don't encrypt server based databases Use named encryption keys shared between all users who should be able to access this information Even administrators cannot read this information Encrypt local databases on notebooks Domino allows to force local encryption for client databases via policy/local setting Will not provide additional security unless you protect your server.id ! Could have impact on performance specially when using "strong" mode But could see the encrypted items - and still support users in case of problems To be enabled on application level, Developers & Administrators need to work collaborate
6.
Application Data Security ©
Sanjaya Kumar Saxena Caveats for Encryption Don't import those key into the server.id until you really need it Encrypted fields cannot be used in views! Make sure someone has a backup copy of public encryption key Users could read encrypted data too when they have access. In case of external-archiving you might need an extra server without any user access or a separate ID accessing the databases Make sure user cannot redistribute encryption keys
7.
Domino 7.x Vulnerabilities Report ©
Sanjaya Kumar Saxena
8.
XSS/Buffer Overflow © Sanjaya
Kumar Saxena Release Date: 2008-05-21 Impact: XSS / DoS / System Access From where: Remote Solution: Update to version 7.0.3 Fix Pack 1 (FP1) or 8.0.1. http://secunia.com/advisories/30310/
9.
Denial of Service ©
Sanjaya Kumar Saxena Release Date: 2008-01-10 Impact: DoS From where: Remote Solution: Update to version 7.0.2 Fix Pack 3. http://secunia.com/advisories/28411/
10.
Web Access Control/ActiveX
Control © Sanjaya Kumar Saxena Release Date: 2007-12-21 Impact: System Access From where: Remote Solution: (Partial Fix) The "Mail_MailDbPath" vulnerability is reportedly fixed in Web Access ver 6.5.6, 7.0.3, and 8.0. The "General_ServerName" vulnerability will reportedly be fixed in Web Access ver 8.0.1 http://secunia.com/advisories/28184/
11.
XSS © Sanjaya Kumar
Saxena Release Date: 2007-11-02 Impact: Unknown From where: Remote Solution: Update to version 6.5.6 Fix Pack 2 (FP2), 7.0.2 Fix Pack 2 (FP2), 7.0.3, or 8.0. http://secunia.com/advisories/27509/
12.
Multiple Vulnerabilities © Sanjaya
Kumar Saxena Release Date: 2007-10-23 Impact: Sensitive Information Exposure / System Access From where: Remote Solution: Update to version 7.0.3 or 8.0. http://secunia.com/advisories/27321/
13.
Agent Signature Verification ©
Sanjaya Kumar Saxena Release Date: 2007-06-05 Impact: Privilege Escalation From where: Local Network Solution: Update to version Domino 6.5.6 Fix Pack 2 (FP2), Domino 7.0.2 Fix Pack 2 (FP2), Domino 7.0.3, or Domino 8.0. http://secunia.com/advisories/25520/
14.
Unspecified DoS © Sanjaya
Kumar Saxena Release Date: 2007-06-04 Impact: DoS From where: Remote Solution: Update to Lotus Domino 7.0.3 or Lotus Domino 7.0.2 Fix Pack 2 (FP2). http://secunia.com/advisories/25542/
15.
Script Insertion &
Buffer Overflow © Sanjaya Kumar Saxena Release Date: 2007-03-28 Impact: XSS / DoS From where: Remote Solution: Update to version 6.5.5 Fix Pack 3 (FP3), 6.5.6, or 7.0.2 Fix Pack 1. http://secunia.com/advisories/24633/
16.
tunekrnl Privilege Escalation ©
Sanjaya Kumar Saxena Release Date: 2006-11-09 Impact: Privilege Escalation From where: Local System Solution: Update to version 6.5.5 Fix Pack 2 (FP2) or 7.0.2. http://secunia.com/advisories/22724/
17.
NRPC Information Disclosure ©
Sanjaya Kumar Saxena Release Date: 2006-11-09 Impact: Sensitive Information Exposure From where: Local Network Solution: Update to version 6.5.5 Fix Pack 2 (FP2) or 7.0.2 and configure the "BLOCK_LOOKUPID" variable in the server's "notes.ini" file (see the vendor's advisory for details). http://secunia.com/advisories/22741/
18.
Multiple Vulnerabilities © Sanjaya
Kumar Saxena Release Date: 2006-03-10 Impact: XSS / DoS From where: Remote Solution: Update to version 6.5.5 or 7.0.1. http://secunia.com/advisories/16340/
19.
LDAP DoS © Sanjaya
Kumar Saxena Release Date: 2006-03-07 Impact: DoS From where: Local Network Solution: (Unpatched) Restrict access to the LDAP service. http://secunia.com/advisories/18738/
20.
In Addition © Sanjaya
Kumar Saxena Many of these vulnerabilities are also present in 8.x and 6.x As of now, one further vulnerability has been reported for 8.x in 2009 31 advisories exist for 6.x, of which 4 remain unpatched. Of these four, one is a highly critical vulnerability.