Santa Clara, Calif. - May 19, 2000 - Perfecto Technologies, the leading developer of Web application security management software, today released its latest Black Watch Labs advisory that reveals how Lotus Domino provides elaborate and rich Access Control Lists (ACLs) that control the access of objects, e.g. web pages. Some applications, however, do not employ ACLs properly, and rely on a successful user log-in procedure as the only security measure for protection against illegal access. Such mechanism can be easily bypassed, and the web pages can be viewed by an unprivileged user.

Suppose that the application has page A (which should be world readable), with a link to page B, which should be readable only to privileged users. Also suppose that this application is not properly configured, that is, both A and B are viewable to the anonymous web user (with respect to their ACLs). Finally, the link from A to B is such that it pops-up a log-in window (this is done by appending a "&login" to the link). The application seems to require a valid log-in before accessing the privileged page B, and indeed, failure to provide a valid log-in results in an error-page, rather than page B. However, it the attacker inspects the link from A to B, and manually removes the "&login", and then requests this link (i.e. attempts to access page B), then this attacker's request is granted, and page B is presented to him/her. It should be stressed that the attacker did not bypass the ACL mechanism provided by Lotus Domino. The problem is that the application falsely assumed that the login phase is mandatory for accessing page B, although page B's ACL allows all possible users to view it; where in fact, the "&login" parameter cannot force the user to actually undergo the login phase, and Lotus Domino does not enforce going through a login phase in order to get the next page. For more information go to https://www.perfectotech.com/blackwatchlabs/.

About Black Watch Labs (www.perfectotech.com/blackwatchlabs/)
Black Watch Labs is a research group operated by Perfecto Technologies Inc., the leader in Web Application Security Management. Black Watch Labs was established in order to further the knowledge of the Internet community in the arena of Web application security management. Black Watch Labs publishes security advisories regularly, which are maintained at https://www.perfectotech.com/blackwatchlabs/, and are also posted to relevant security lists and Web sites. Black Watch Labs also operates a Web application security mailing list, which can be subscribed to at https://www.perfectotech.com/blackwatchlabs/. For more info about Black Watch Labs and Web Application Security Management, please call (408) 352-2000 or email [email protected].

About Perfecto Technologies
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies is the leader in Web Application Security Management software. AppShield, Perfecto Technologies flagship product, is the first to provide extreme security for customer-facing applications in dynamic Web site environments. Perfecto Technologies has customers in many sectors including, banking, e-tailing, finance, government and healthcare. Privately held, Perfecto Technologies is funded by blue-chip venture capital firms and industry leaders, including Sequoia Capital, Walden and Intel Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Web site at www.perfectotech.com or by calling the Company directly at (408) 352-2000.

For Immediate Release
Contact:

Kevin Pedraja
Sterling Communications
(408) 441-4100
[email protected]