fighting for truth, justice, and a kick-butt lotus notes experience.

 
alt

Detlev Poettgen

 

Kill your webadmin.NSF if you still have one

 30 Juni 2014 09:44:42
If you have still webadmin.nsf databases and webadmin.ntf templates located on your IBM Domino servers, it is time to delete them.

There is an serious issue out there since end of 2012:

CVE-2013-0489: Cross-site request forgery (CSR>F) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote authenticated users to hijack the authentication of administrators.

IBM will not fix this one but had published in Nov. 2013 the following Technote:

No fixes are planned. IBM Domino Web Administrator is deprecated. Customers are advised to move to the fully functional Domino Administrator client.

http://www-01.ibm.com/support/docview.wss?uid=swg21652988



Don't argue, but just do it:

Delete the webadmin.nsf and the webadmin.ntf on all of your servers, if you still have them.

(Don't forget to delete the NTF, too. If the HTTP-Task will finds a webadmin.ntf during start, it will recreate a webadmin.nsf.)