T 5.101 Hacking Lotus Notes/Domino

The data stored in the databases of a Lotus Domino server can also be made available for public access from the Internet. This imposes special requirements on the security of the Lotus Domino server used for this purpose. In this case, security loopholes could result in an attacker not only gaining unauthorised access to the Lotus Domino server itself but possibly also being able to penetrate the internal network which lies behind it.

Some of the problem areas and potential security loopholes which need to be considered, particularly where public access is allowed from the Internet to a Lotus Domino server, are listed below:

• A Lotus Domino server is complex system. A server network increases the complexity still further. This complexity (also the security-relevant settings) can result in mistakes being made during configuration and hence in the creation of security loopholes.
• With its wide functionality, it is possible for integration of a Lotus Domino server into appropriate background systems to permit the passing on of security weaknesses from a Lotus Domino server to the background systems. In such a case generally it is sufficient to exploit a single weakness in a single function package.
• If web access to a Lotus Domino server is enabled this concerns all databases on the relevant server. This can easily be used for deliberate attacks, especially against standard databases, unless secure access rights are assigned to each database.
• A well-known method for hacking a Lotus Domino server consists in accessing names.nsf via HTTP using a legitimate user account and reading the personal documents including password hashes to determine the passwords by means of corresponding crack programs.