Rapid7 Vulnerability & Exploit Database

Lotus Notes/Domino Anonymous Access to DNFS Configuration database

Back to Search

Lotus Notes/Domino Anonymous Access to DNFS Configuration database

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
11/01/2004
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

The Domino server has been configured to allow anonymous access to the DNFS configuration database (/smbcfg.nsf).

This database is used to configure Domino Network File Store (DNFS), an optional add-in for Domino that lets users read files from and save files to Domino databases from any Windows application. With DNFS, files stored in a Domino database are presented to users in a traditional folder/file metaphor, and are accessed through an application's Open/Save dialog boxes, Windows Explorer, or any Windows file system dialog box.

An attacker could use this configuration database to modify and/or learn about your DNFS configuration. This raises the potential of an attacker modifying "files" and possibly placing trojan horses or viruses where unsuspecting users can run them.

More information on DNFS can be found at http://www.support.lotus.com/sims2.nsf/852561c1006719a98525614100588964/ffdd116ab30f79d185256967005f2b41?OpenDocument.

Solution(s)

  • disable-anonymous-default-notes-acl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;