I recently downloaded the contents of a Lotus Notes Domino database to Excel without any access to the database. If you’ll recall, I do audit consulting, and was performing an audit at a Fortune 100 company.
I was told that a ticket I needed for evidence was in a certain Domino database, accessible from the intranet. I could access the databases’ search filter and enter the ticket number, but nothing appeared. I was later told that was because I didn’t have access to the database. However, I saw a “Dump to Excel” button, clicked it, and was able to download the entire database to Excel, which of course included the ticket data I was after.
Evidently, the button and the resulting command issued to the database uses a system account that has full access to the database and the user’s authentication is not checked. You might want to search your intranet for “download to Excel” buttons and give them a poke. Let me know what you find.
Your assumption is wrong to start with. Domino is a development platform so It allows someone to ‘build’ applications on it. Lotus Notes as a product is not failing, the development of the app and more specifically security aspects are failing. Don’t expect that every Notes database has a ‘download to Excel’ button, it was coded by someone that way. As if a failing program running on Windows is Microsoft’s fault. It just doesn’t make sense.
LikeLike
Stijn,
I’m not sure what assumption you’re referring to. My point was that I should not be able to download an entire database that I do not have access to (and should not have access to) by clicking a button. I don’t think I implied that Notes was failing or that every database has such a button. Just that if it has such a button, it should NOT give the farm away with a single click.
But I do agree, it just doesn’t make sense to do such a thing.
LikeLike
Pingback: Download SharePoint Data w/o Rights | ITauditSecurity