SlideShare una empresa de Scribd logo

Lotus Security Part III

Sanjaya K Saxena
Sanjaya K Saxena

Building Rock Solid Lotus Domino Security Part III

TecnologíaEmpresariales
1 de 20
Lotus Domino Building Rock Solid Security © Sanjaya Kumar Saxena Part - III
Domino Security Application Perspective © Sanjaya Kumar Saxena
Recommended Input Validation © Sanjaya Kumar Saxena Remove Null Characters like java0script Convert all tabs to spaces Compact exploded words j a v a s c r i p t Remove disallowed javascript in links, image or div tags Remove javascript event handlers like onClick etc. Sanitize naughty html elements like <blink> becomes &lt;blink&gt; Escape all quotes like ‘xxxx’ becomes ’xxxx’ Sanitize naughty scripting elements like converting parenthesis to entities like eval(‘xxxx’) becomes eval&#40;‘xxxx’&#41;
Things to Avoid © Sanjaya Kumar Saxena Leaving a host server vulnerable to browsing Failing to set access rights to databases correctly Relying on database launch properties to secure data Relying on empty view templates to prevent access to sensitive documents Relying on hidden views to protect sensitive information Using form formulas in place of Domino security Failing to prevent unwanted searches of your database Leaving application agents vulnerable to being invoked by browser users
Application Data Security © Sanjaya Kumar Saxena Encryption of Local Databases Don't encrypt server based databases Use named encryption keys shared between all users who should be able to access this information Even administrators cannot read this information Encrypt local databases on notebooks Domino allows to force local encryption for client databases via policy/local setting Will not provide additional security unless you protect your server.id ! Could have impact on performance specially when using "strong" mode But could see the encrypted items - and still support users in case of problems To be enabled on application level, Developers & Administrators need to work collaborate
Application Data Security © Sanjaya Kumar Saxena Caveats for Encryption Don't import those key into the server.id until you really need it Encrypted fields cannot be used in views! Make sure someone has a backup copy of public encryption key Users could read encrypted data too when they have access. In case of external-archiving you might need an extra server without any user access or a separate ID accessing the databases Make sure user cannot redistribute encryption keys
Domino 7.x Vulnerabilities Report © Sanjaya Kumar Saxena
XSS/Buffer Overflow © Sanjaya Kumar Saxena Release Date: 2008-05-21 Impact: XSS / DoS / System Access From where: Remote Solution: Update to version 7.0.3 Fix Pack 1 (FP1) or 8.0.1. http://secunia.com/advisories/30310/
Denial of Service © Sanjaya Kumar Saxena Release Date: 2008-01-10 Impact: DoS From where: Remote Solution: Update to version 7.0.2 Fix Pack 3. http://secunia.com/advisories/28411/
Web Access Control/ActiveX Control © Sanjaya Kumar Saxena Release Date: 2007-12-21 Impact: System Access From where: Remote Solution: (Partial Fix) The "Mail_MailDbPath" vulnerability is reportedly fixed in Web Access ver 6.5.6, 7.0.3, and 8.0. The "General_ServerName" vulnerability will reportedly be fixed in Web Access ver 8.0.1 http://secunia.com/advisories/28184/
XSS © Sanjaya Kumar Saxena Release Date: 2007-11-02 Impact: Unknown From where: Remote Solution: Update to version 6.5.6 Fix Pack 2 (FP2), 7.0.2 Fix Pack 2 (FP2), 7.0.3, or 8.0. http://secunia.com/advisories/27509/
Multiple Vulnerabilities © Sanjaya Kumar Saxena Release Date: 2007-10-23 Impact: Sensitive Information Exposure / System Access From where: Remote Solution: Update to version 7.0.3 or 8.0. http://secunia.com/advisories/27321/
Agent Signature Verification © Sanjaya Kumar Saxena Release Date: 2007-06-05 Impact: Privilege Escalation From where: Local Network Solution: Update to version Domino 6.5.6 Fix Pack 2 (FP2), Domino 7.0.2 Fix Pack 2 (FP2), Domino 7.0.3, or Domino 8.0. http://secunia.com/advisories/25520/
Unspecified DoS © Sanjaya Kumar Saxena Release Date: 2007-06-04 Impact: DoS From where: Remote Solution: Update to Lotus Domino 7.0.3 or Lotus Domino 7.0.2 Fix Pack 2 (FP2). http://secunia.com/advisories/25542/
Script Insertion & Buffer Overflow © Sanjaya Kumar Saxena Release Date: 2007-03-28 Impact: XSS / DoS From where: Remote Solution: Update to version 6.5.5 Fix Pack 3 (FP3), 6.5.6, or 7.0.2 Fix Pack 1. http://secunia.com/advisories/24633/
tunekrnl Privilege Escalation © Sanjaya Kumar Saxena Release Date: 2006-11-09 Impact: Privilege Escalation From where: Local System Solution: Update to version 6.5.5 Fix Pack 2 (FP2) or 7.0.2. http://secunia.com/advisories/22724/
NRPC Information Disclosure © Sanjaya Kumar Saxena Release Date: 2006-11-09 Impact: Sensitive Information Exposure From where: Local Network Solution: Update to version 6.5.5 Fix Pack 2 (FP2) or 7.0.2 and configure the "BLOCK_LOOKUPID" variable in the server's "notes.ini" file (see the vendor's advisory for details). http://secunia.com/advisories/22741/
Multiple Vulnerabilities © Sanjaya Kumar Saxena Release Date: 2006-03-10 Impact: XSS / DoS From where: Remote Solution: Update to version 6.5.5 or 7.0.1. http://secunia.com/advisories/16340/
LDAP DoS © Sanjaya Kumar Saxena Release Date: 2006-03-07 Impact: DoS From where: Local Network Solution: (Unpatched) Restrict access to the LDAP service. http://secunia.com/advisories/18738/
In Addition © Sanjaya Kumar Saxena Many of these vulnerabilities are also present in 8.x and 6.x As of now, one further vulnerability has been reported for 8.x in 2009 31 advisories exist for 6.x, of which 4 remain unpatched. Of these four, one is a highly critical vulnerability.

Recomendados

Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentationdominion
 
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 401244CON
 
Lotus Security Part I
Lotus Security Part ILotus Security Part I
Lotus Security Part ISanjaya K Saxena
 
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"jayeshpar2006
 
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 201244CON
 
IBM Meetings Training
IBM Meetings TrainingIBM Meetings Training
IBM Meetings TrainingLisa Learned
 
Domino security
Domino securityDomino security
Domino securitydominion
 
Lotus Security Part II
Lotus Security Part IILotus Security Part II
Lotus Security Part IISanjaya K Saxena
 

Recomendados

Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentationdominion
 
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 401244CON
 
Lotus Security Part I
Lotus Security Part ILotus Security Part I
Lotus Security Part ISanjaya K Saxena
 
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"jayeshpar2006
 
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 201244CON
 
IBM Meetings Training
IBM Meetings TrainingIBM Meetings Training
IBM Meetings TrainingLisa Learned
 
Domino security
Domino securityDomino security
Domino securitydominion
 
Lotus Security Part II
Lotus Security Part IILotus Security Part II
Lotus Security Part IISanjaya K Saxena
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Más contenido relacionado

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Destacado

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Destacado (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Lotus Security Part III

  • 1. Lotus Domino Building Rock Solid Security © Sanjaya Kumar Saxena Part - III
  • 3. Recommended Input Validation © Sanjaya Kumar Saxena Remove Null Characters like java0script Convert all tabs to spaces Compact exploded words j a v a s c r i p t Remove disallowed javascript in links, image or div tags Remove javascript event handlers like onClick etc. Sanitize naughty html elements like <blink> becomes &lt;blink&gt; Escape all quotes like ‘xxxx’ becomes ’xxxx’ Sanitize naughty scripting elements like converting parenthesis to entities like eval(‘xxxx’) becomes eval&#40;‘xxxx’&#41;
  • 4. Things to Avoid © Sanjaya Kumar Saxena Leaving a host server vulnerable to browsing Failing to set access rights to databases correctly Relying on database launch properties to secure data Relying on empty view templates to prevent access to sensitive documents Relying on hidden views to protect sensitive information Using form formulas in place of Domino security Failing to prevent unwanted searches of your database Leaving application agents vulnerable to being invoked by browser users
  • 5. Application Data Security © Sanjaya Kumar Saxena Encryption of Local Databases Don't encrypt server based databases Use named encryption keys shared between all users who should be able to access this information Even administrators cannot read this information Encrypt local databases on notebooks Domino allows to force local encryption for client databases via policy/local setting Will not provide additional security unless you protect your server.id ! Could have impact on performance specially when using "strong" mode But could see the encrypted items - and still support users in case of problems To be enabled on application level, Developers & Administrators need to work collaborate
  • 6. Application Data Security © Sanjaya Kumar Saxena Caveats for Encryption Don't import those key into the server.id until you really need it Encrypted fields cannot be used in views! Make sure someone has a backup copy of public encryption key Users could read encrypted data too when they have access. In case of external-archiving you might need an extra server without any user access or a separate ID accessing the databases Make sure user cannot redistribute encryption keys
  • 8. XSS/Buffer Overflow © Sanjaya Kumar Saxena Release Date: 2008-05-21 Impact: XSS / DoS / System Access From where: Remote Solution: Update to version 7.0.3 Fix Pack 1 (FP1) or 8.0.1. http://secunia.com/advisories/30310/
  • 9. Denial of Service © Sanjaya Kumar Saxena Release Date: 2008-01-10 Impact: DoS From where: Remote Solution: Update to version 7.0.2 Fix Pack 3. http://secunia.com/advisories/28411/
  • 10. Web Access Control/ActiveX Control © Sanjaya Kumar Saxena Release Date: 2007-12-21 Impact: System Access From where: Remote Solution: (Partial Fix) The "Mail_MailDbPath" vulnerability is reportedly fixed in Web Access ver 6.5.6, 7.0.3, and 8.0. The "General_ServerName" vulnerability will reportedly be fixed in Web Access ver 8.0.1 http://secunia.com/advisories/28184/
  • 11. XSS © Sanjaya Kumar Saxena Release Date: 2007-11-02 Impact: Unknown From where: Remote Solution: Update to version 6.5.6 Fix Pack 2 (FP2), 7.0.2 Fix Pack 2 (FP2), 7.0.3, or 8.0. http://secunia.com/advisories/27509/
  • 12. Multiple Vulnerabilities © Sanjaya Kumar Saxena Release Date: 2007-10-23 Impact: Sensitive Information Exposure / System Access From where: Remote Solution: Update to version 7.0.3 or 8.0. http://secunia.com/advisories/27321/
  • 13. Agent Signature Verification © Sanjaya Kumar Saxena Release Date: 2007-06-05 Impact: Privilege Escalation From where: Local Network Solution: Update to version Domino 6.5.6 Fix Pack 2 (FP2), Domino 7.0.2 Fix Pack 2 (FP2), Domino 7.0.3, or Domino 8.0. http://secunia.com/advisories/25520/
  • 14. Unspecified DoS © Sanjaya Kumar Saxena Release Date: 2007-06-04 Impact: DoS From where: Remote Solution: Update to Lotus Domino 7.0.3 or Lotus Domino 7.0.2 Fix Pack 2 (FP2). http://secunia.com/advisories/25542/
  • 15. Script Insertion & Buffer Overflow © Sanjaya Kumar Saxena Release Date: 2007-03-28 Impact: XSS / DoS From where: Remote Solution: Update to version 6.5.5 Fix Pack 3 (FP3), 6.5.6, or 7.0.2 Fix Pack 1. http://secunia.com/advisories/24633/
  • 16. tunekrnl Privilege Escalation © Sanjaya Kumar Saxena Release Date: 2006-11-09 Impact: Privilege Escalation From where: Local System Solution: Update to version 6.5.5 Fix Pack 2 (FP2) or 7.0.2. http://secunia.com/advisories/22724/
  • 17. NRPC Information Disclosure © Sanjaya Kumar Saxena Release Date: 2006-11-09 Impact: Sensitive Information Exposure From where: Local Network Solution: Update to version 6.5.5 Fix Pack 2 (FP2) or 7.0.2 and configure the "BLOCK_LOOKUPID" variable in the server's "notes.ini" file (see the vendor's advisory for details). http://secunia.com/advisories/22741/
  • 18. Multiple Vulnerabilities © Sanjaya Kumar Saxena Release Date: 2006-03-10 Impact: XSS / DoS From where: Remote Solution: Update to version 6.5.5 or 7.0.1. http://secunia.com/advisories/16340/
  • 19. LDAP DoS © Sanjaya Kumar Saxena Release Date: 2006-03-07 Impact: DoS From where: Local Network Solution: (Unpatched) Restrict access to the LDAP service. http://secunia.com/advisories/18738/
  • 20. In Addition © Sanjaya Kumar Saxena Many of these vulnerabilities are also present in 8.x and 6.x As of now, one further vulnerability has been reported for 8.x in 2009 31 advisories exist for 6.x, of which 4 remain unpatched. Of these four, one is a highly critical vulnerability.