Solved

"sniffing document IDs"

Posted on 2004-08-10
14
188 Views
Last Modified: 2013-12-18
Hi:

Can you tell me if it's possible to determine a document unique id via the web? (i.e without the document being visible via the web?) I'm especially interested to know if there is any malicious software which can do this, and if so, how to defend against it.

-Ke
0
Comment
Question by:kkiddie
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 31

Expert Comment

by:qwaletee
ID: 11765029
It wouuld be very difficult to do.  In R4 and R5, it would probably be easier to sniff out via DocIDs, which are much smaller and less random.
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 11765109
There is no mailcious software to do that.. Your ACL does filter out most of those kind of activity from external ..

What is that exactly that you are afraid of ?

~Hemanth
0
 
LVL 15

Accepted Solution

by:
Bozzie4 earned 250 total points
ID: 11765137
Yes, this is possible.

At least, starting from R5.  Try this :

http://server/database.nsf/View?Readviewentries

Will show you the document unique id's (among others) in xml format.
You can of course deny those ?readviewentries urls

cheers,

Tom
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 15

Expert Comment

by:Bozzie4
ID: 11765174
Of course, you would need access to the view, and the database, and you must be authorized to read the document in the first place.

But this does work just fine for views you could expect to be present in a database ( ($All), All Documents, LU, LUVIEW, lookup, .... )), or with the defaultview url

http://server/database.nsf/$defaultview?Readviewentries

cheers,

Tom
0
 

Author Comment

by:kkiddie
ID: 11765203
I just detected this and it seems curious... tell me if it's correct... if you know the document unique id (of a document with no readers field on it), even if the document has been created with the form security set to prevent web reading, and the view security is set to prevent web use, you can still access the document.

Additionally, you don't even have to know a valid view name... random characters in place of the view name will work.

Anything you can tell me about this would be appreciated.

As well, if I did want to put a readers field on a form... would I just set a default value of the appropriate ACL groups or individuals?... and this would prevent it from being read even if one knows the unique document id?

-Ke
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 11765354
If you know the documentunique id, you can open the document if
- you can read the document (access through ACL, and readers fields)
- there is a form to display the document (you could have forms for notes use only, or a special form for web use)

cheers,

Tom
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 11765714
In the acl, set default to no access and set anonymous to no access. This will force only the users who are authorized to access the data...Thus by keeping out the "malicious" users..
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 11765817
Hemantha, if you want to create a Notes based website, that 's not really a solution, is it ?

So if you do allow anonymous access to your database, you have to be careful when designing the application.  Don't rely on 'security thru obscurity' to secure your application ....

cheers,

Tom
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 11765886
basically that is what he wants.. prevent other users to mess around..
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 11765959
Another way is to hide the location by using frames
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 11766205
That's 'security tru obscurity' .  No would-be hacker or nosy sniffer will be stopped by that :-)

0
 
LVL 31

Expert Comment

by:qwaletee
ID: 11766679
If your users all use the same root hierarchical certifier, and all Notes client users SHOULD be able to read all documents, then set up a readers field with */RootCertName (you wil also want to set up a separate readers field with a true name, because I don't remember whether */Cert works with both ACL and readres, or just ACL, and if I am wrong, you will have a phantom doc in your DB).

A variation of the above:  If your web users will all be anonymous, then create a role called NonAnon, and assign the role to all ACL entries EXCEPT Anonymous (make sure you do have an entry named Anonymous).  Then, set a readers field with [NonAnon] computed for it.

Now, if your web users are not always anonymous, then you just need a well designed readers-restructed app to start with.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 11767483
I just fail to see what the problem is. If you open a database for webusers, then those documents are meant to be visible, aren't they? If users aren't supposed to watch them, then hide them, protect them, or move them to a separate database. Users modifiying documents can easily be prevented.

But don't you have exactly the same (or worse) with any HTML-based website? Sniffing documents there isn't that difficult. Checking ww.website.ext/default.htm or /index.htm or just generate names and you'll strike oil some day. And so what? The document is visible, yes, but who has a public website with only invisible pages? Luckiloy, with Notes, you can pull up a nice fence where you want it.
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 11767503
The problem could be that some documents, although the content is public, are not meant to show.
Examples are documents where you store attachments (images,...) or configuration documents.

Of course, the biggest problem would be a less-than-perfect design to begin with....

cheers,

Tom
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lotus notes "Estimate" form to Quickbooks invoice 2 356
Text over two lines in VBA for email 26 162
lotus notes, exchange 7 111
Counting documents in a Domino View 3 85
For Desktop Techs: How to retain a user's Notes configuration data when swapping out the end user's computer. (Assuming that you are not upgrading to a completely different version of Notes client) All you need to do is: 1) install Notes o…
For users on the Lotus Notes 8 Standard client, this article provides information on checking the Java Heap size and adjusting it to half of your system RAM in attempt to get the Lotus Notes 8.x Standard client to run faster.  I've had to exercise t…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question