If ACL of names.nsf is set to enforce consistent ACL, could a hacker succeed?
I recently read an article in eWEEK about a hacker who was able to break into a Domino server. This was done as a demonstration to the company owners as an audit of their vulnerability to attacks. The hacker was able to open the names.nsf file and to see various IDs that I assume were stored in a directory folder. If the ACL of the names.nsf was set to enforce consistent ACL, how would a hacker be able to open it?
Easy. If the Default or Anonymous entries in the Access Control List are set to Read, anyone can see the IDs that are attached to the person documents. This highlights the fact that Domino/Notes is a very secure system IF IT IS SET UP CORRECTLY
. Leaving names.nsf wide open for reader access is a known problem, and smart hackers know to look for it.
This was first published in October 2003