Critical security issue in many Domino Web apps

by Arnd Koch,
assono GmbH, Standort Kiel,

In Web development the prase "Eval is evil" is used frequently, mainly in scripting languages like PHP, where this little function has a very bad reputation - for a very good reason. The evilness of Eval has its root cause in the usage of unchecked user input as part of the string to be evaluated. By crafting a special input a malicious user can execute arbitrary code on the server. This kind of code injection attacks are well known and have happened in many environments and languages in the past.

However, many Lotus Notes and Domino developers don't see any trouble in using the LotusScript function Evaluate (also available in Java), because the formula language seems to be harmless. However, this impression doesn't reflect the truth, even the restrictions in the Web environment don't make this secure.

A common mistake Domino Web developers make is using Evaluate and @URLDecode to decode data send by a Web browser without any checks to validate the input. Using Evaluate to url-decode data is the easiest way, because there is no url-encoding or url-decoding function available in LotusScript.

The problem is that missing checks of the input can lead to unfiltered code being inserted into evaluate string and executed either with the user's rights or even worse with server's rights. Normally the inserted string is clean and the code works as expected. In case the string contains some metacharacters by accident, execution usually ends in an error, because the evaluate string became invalid. However in the worst case a malicious person could forge his input in a way, which gives him control over the code being executed. This obviously can be used for various manipulations. For example, it is pretty easy to insert the @MailSend command and turn the Domino Web server into a spam spreading beast. If Evaluate is called with a Notes document as parameter, this document could be read and attached to the email without much effort, too.

Easy, but unsecure:
Public Function URLEncode(value As String) As String

    Dim result As Variant

    ' not good:
    ' -------------
    ' value is passed unchecked into the evaluate string
    result = Evaluate(|@URLEncode("UTF-8"; "| + value + |")|)
    URLEncode = result(0)
End Function
To avoid code injection, metacharacters like backslash \ and double-quote " should always be escaped. Also, the fact that in formula language the curly brackets can be used as string delimiters like the quote character, should be taken in to accout. These should be escaped, too, if needed.

Better:
Public Function URLEncode(value As String) As String

    Dim result As Variant
    Dim tmp As String

    ' better:
    ' ---------
    ' at least metacharakters like backslash and quote should be escaped
    tmp = Replace(value, |\|, |\\|)
    tmp = Replace(tmp, |"|, |\"|)

    ' and pass the now filtered string into evaluate
    result = Evaluate(|@URLEncode("UTF-8"; "| + tmp + |")|)
    URLEncode = result(0)
End Function
The bad thing about this is that code injected in this way is usually executed without any traces, so it an be used to send lots of spam emails at least until the server get listed on a few blacklists and the complete email transfer just stops working.

The best solution is of course to just don't use Evaluate in this way, especially in Web applications. However, using Evaluate for simple formulas like @WebDBName is rather uncritical, since there is usually no way that any user inputs get its way into the the formula.

After an examination of a few Domino-based products, this sort of vulnerability seems to be pretty common. I highly recommend you to audit your Notes and Domino applications, especially those reachable over the Web. Keep in mind that not only user input is a risk, but HTTP headers like user-agent can easily be manipulated, too.

Technical article IBM Domino Security Development

Sie haben Fragen zu diesem Artikel? Kontaktieren Sie uns gerne: blog@assono.de

Do you want an individual solution? Contact us

More interesting entries

Any questions? Contact us.

If you want to know more about our offers, you can contact us at any time. There are several ways to contact us for a non-binding first consultation.

We don’t sell your data. 100% guaranteed. See: Privacy Policy
assono GmbH

Location Kiel (headquarters)
assono GmbH
Lise-Meitner-Straße 1–7
24223 Schwentinental

Location Hamburg
assono GmbH
Bornkampsweg 58
22761 Hamburg

Phone numbers:
Human resources department: +49 4307 900 407
Marketing department: +49 4307 900 402

E-Mail adresses:
contact@assono.de
bewerbung@assono.de