fighting for truth, justice, and a kick-butt lotus notes experience.

Kill your webadmin.NSF if you still have one

Detlev Poettgen  Juni 30 2014 07:44:42 AM
If you have still webadmin.nsf databases and webadmin.ntf templates located on your IBM Domino servers, it is time to delete them.

There is an serious issue out there since end of 2012:

CVE-2013-0489: Cross-site request forgery (CSR>F) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote authenticated users to hijack the authentication of administrators.

IBM will not fix this one but had published in Nov. 2013 the following Technote:

No fixes are planned. IBM Domino Web Administrator is deprecated. Customers are advised to move to the fully functional Domino Administrator client.

http://www-01.ibm.com/support/docview.wss?uid=swg21652988



Don't argue, but just do it:

Delete the webadmin.nsf and the webadmin.ntf on all of your servers, if you still have them.

(Don't forget to delete the NTF, too. If the HTTP-Task will finds a webadmin.ntf during start, it will recreate a webadmin.nsf.)


Treffpunkte

Archive