There is a surprisingly easy exploit known as Cache Poisoning with the reference CVE-2020-11814.
Domino 10,11 and 12 have an undocumented feature ( as far as I can see ) which can quickly be used to prevent this exploit. The feature is called “HTTP HOST Header Whitelist” and HCL support says it was introduced in version 10. If this feature is not used your server may be vulnerable to this exploit if your customers use a proxy cache, which many do.
HTTP requests have a header attribute known as “Host”. This is used mainly for servers which have many domains served from a single IP address, the norm these days. The server uses the HOST attribute to know which domain to serve. Domino 12 also has this capability.
I thought that Domino 11 did not use this attribute but a customer kindly showed my that I was wrong. The scenario was this :
##################
- Users on the corporate network access the internet via a (shared) forward proxy. All users connect to the internet via this proxy.
- Caching is enabled on the proxy to boost performance. Instead of reaching out to the internet to fulfil every client request, the proxy will serve pages from its cache when possible.
- An attacker wants to obtain a user’s credentials. They clone the ACME login page and publicly host it at https://badwebsite.com. In order to trick a user into logging in, they send a GET request to http://acme.focul.net with the host header set to badwebsite.com. The proxy receives the request from the attacker, and forwards it to the vulnerable site. As we have seen in the test results, the server will respond to this request with a 302 redirect to https://badwebsite.com.
- The proxy will update its cache with the server’s response, meaning subsequent requests through the same proxy for http://ACME.focul.net will receive the same 302 redirect to https://badwebsite.com based on the proxy’s cache. In other words, the next time a user tries to access the legitimate application via the same proxy, they will end up at the attacker’s site. While the different URL would be visible in the browser, it is likely not all users would notice it and would log in to https://badwebsite.com with their ACME credentials. Thanks,
xxxxxxx
Cyber Security | Application Vulnerability Testing##################
You can try this yourself using Postman or curl. it is disconcertingly easy. Rapid7.com is a vulnerability test provider.
This can be prevented so that the server returns this message instead of redirecting.
This is achieved by using this setting on the Domino Server Document. Server > Internet Protocols > HTTP HOST Header Whitelist
I would consider making this a standard on your servers. It will take some more admin but it may be worthwhile.
This is the 2nd really useful security feature that was introduced in Domino 10 but not well documented. The first was the anti CSRF feature
It would be great if HCL did an “IBM Redbook” style document on Domino http security. In the mean time presentations like this one from Patrick Zarnikow are worth looking at.