We are recently running a vulnerability scan on our network and one of the vulnerability detected was one Domino web site. The exact security alert is:
“Access to the ReadDesign method over HTTP should be restricted to only trusted hosts.”
So I’d like to block the ReadDesign method over HTTP, any idea how I can realize that and get rid of that vulnerability?
Thanks in advance
Jo
Subject: block ?ReadDesign
The only solution I know is to create a redirection document on your domino HTTP server which will redirect every incoming URL ReadDesign to an url that does not exist like /ThisDoesNotExists .
You can do this also for all the URL predefined command you don’t want to expose (like ?deletedocument).
Hope this helps
Renaud
Subject: RE: block ?ReadDesign
cool, but what about this guy that says it only works with R5 (http://www-10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b8525689b005ba1c0/fd1cd95517d36f5d85257206001805e9?OpenDocument)? I’m running R6 and logically I would think your URL redirection would work on both version but I’d like to confirm that before making my change in production.
Thanks
Jo
Subject: RE: block ?ReadDesign
Honestly I don’t remember if it worked or not in R6. I’m only running V7/V8 server, so I cannot try it on a V6 server…
The only thing I can tell you is that it works on v7.
But in my opinion, you don’t risk much in adding this rule on your V6 server. If it doesn’t work it won’t break anything either as they stated in the other mail this doesn’t work means for means the redirection does not happen!
Renaud
Subject: RE: block ?ReadDesign
It works with R6 (6.5.4). I just put in place my URL redirection for ?ReadDesign and it works.
Thanks a lot
Subject: RE: block ?ReadDesign
I implemented the URL redirect with no problem, but now when using Domino Web Access users can no longer access anything but the inbox for mail. Any other mail folder returns an error. Has anyone else had this and how did you fix?