FORUM PLAN UPDATE
Date revision: This forum will remain open to new posts and responses until December 1, 2018. (After that date, you will still be able to view and search the forum.) Also, we're taking a second look at the best place to host future conversation. For now, keep using this forum, and stay tuned for more news.



Mar 12, 2015, 1:50 AM
1 Posts

WAF Security and Domino

  • Category: Other
  • Platform: Windows
  • Release: 8.5.3
  • Role: Administrator,Developer
  • Tags: Security
  • Replies: 2

Hi Experts,

My Company is using domino as our email system and application platform. We have quite a few xpages applications. We have just bought a Barracuda Web Application Firewall. There are recommended "best practise" values for the WAF rules which our application exceeds or does not met.

I am tasked to either (1) make adjustments to our applications to suit the recommended values or (2) justify for an exception. We have gotten the applications to fall within the guidelines except for two points, which I recognize is a fundamental design of xpages but needs some supporting documentation or expert to lend weight to my justification for exceptions to be made.

1. Parameter Name length exceeded, recommended value 64, detected value 69

Example: Parameter name = view\:_id1\:include4\:include1\:_id68\:repeat1\:1\:repeat3\:0\:section2_closed

Explanation: Form controls in xpages when render on the client side comes with long IDs as they are constructed in a hierarchy manner, leading to long names for controls nested deeply within other controls. Thus their parameter names for the return values easily surpasses the Barracuda recommended value of 64.

Recommendation: To increase the allowed parameter name length to X

Help: Please suggest what should X be.

2. Slash-dot in URL path (https://www.owasp.org/index.php/Path_Traversal)

Example: www.mydomain.com/xsp/.ibmxspres/dojoroot-1.6.1

Explanation: Domino (and Dojo) has their library names containing the dot, thus to make use of those libraries the path must contain dot as well.

Recommendation: To grant exception for Domino web application servers.

Help: If possible, please link any tech note from IBM regarding their response to this issue. I have tried searching but either my googlefu is not strong enough, or there is very little material on this regards.

Thank You.

Mar 12, 2015, 9:32 AM
6 Posts
Re: WAF Security and Domino

Though I don't have any IBM technotes to go along with it, I can at least throw in my two cents to agree that you are right on both counts.

For the first, I don't know that XPages has a particular upper bound: those names will increase with the structure of the app, so there's not a real max unless browsers or the server stack impose one. You could PROBABLY be fine with, say, 128, as long as you don't go too far with nested controls.

The second is even more cut-and-dried: "/.ibmxspres/" is not path traversal, nor would I expect it to be on any platform. I'm not sure why the firewall would flag a URL like that, really. Domino happens to use that to represent special directories on the server, but the URL itself doesn't include either "/./" or "/../", which would be the dangerous ones there. I'd expect them to worry more that it looks like it's accessing a hidden dotfile, but it's also not doing that.

Mar 12, 2015, 9:53 AM
589 Posts
wow

Well I don't have a good answer for you...  I tweeted this so maybe some people smart then me will chime in.  If not then maybe try posting on StackOverFlow...

I'm NOT an admin but my first thought is these are pretty stupid rules.  The Barracuda Web Application Firewall should exist to protect and service web applications. IT infrastructure needs to support applications and business needs.  The business should not bend to support IT infrastructure.  No one will log into the website because it's protected by a Barracuda firewall.  They log in for the web applications.  

The first one I don't get as those are typically ID's I thought... not really parameters...  but I'm not an expert on it.  The id conversion is kinda annoying but when you repeat custom controls you can litterally use the same thing over and over again...  so it needs to do that to keep things unique. There probably is no maximum level that is safe.  You could have a custom control to represent a generic input box.  Then you could use that EVERYWHERE...  it could get really deep..  again - technically I don't know if there is a limit really...

And I understand the 2nd concern even less...  That appears to be as the Pennsylvania Dutch might say...  fricken dumb...  what don't they like?  a directory with a dot in it?  Every consumable open source project will likely have that in their folders to represent the version number.  I guess it's that ibmxspres starts with a dot?  so that's the /.ibmxspres thats the issue?  I guess I don't know why this is a thing at all.  / ./ is traversal as mentioned here:  http://www.iss.net/security_center/reference/vuln/HTTP_URL_dotpath.htm  but /.foldername is not.  Even that IBM document considers that low risk.  Another doc on Traversal is here:  http://en.wikipedia.org/wiki/Directory_traversal_attack  and nowhere is /.foldername mentioned as a path for an attack.

 

Just my 2 cents...


FORUM PLAN UPDATE
Date revision: This forum will remain open to new posts and responses until December 1, 2018. (After that date, you will still be able to view and search the forum.) Also, we're taking a second look at the best place to host future conversation. For now, keep using this forum, and stay tuned for more news.