#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Disabling wink to be used as a potential attack vector

Seeing more and more attempts to use Wink as an attack vector (see example below). Looking into possibility to disable wink so that it wont cause any potential security risk.

03/17/2022 10:04:27 AM HTTP JVM: 1399490 [Thread-11] INFO org.apache.wink.server.internal.RequestProcessor - The following error occurred during the invocation of the handlers chain: WebApplicationException (404 - Not Found) with message 'null' while processing GET request sent to https:
03/17/2022 10:04:27 AM HTTP JVM: /IPAddress/api/geojson?url=file:///etc/hosts

  • Guest
  • Sep 15 2022
  • Already Exists
  • Attach files
  • Guest commented
    15 Sep 04:39pm

    "I" did NOT open this Idea (see below). I have had a support ticket open CS0300620 for over 6 months now. I am seeing more and more attempts to use WINK as an attack vector for example trying to get to hosts file etc. We do not use Wink and wanted to understand how to mitigate this potential vulnerability. The response from support was that since the logs only show 404's "there was no vulnerability" .. my view has been (as a CISSP) to worry about the ones that may have actually worked and given a bad actor access to information that could be used to access the system.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~2022-09-15 15:14:30 UTC - Christian SinfuegoAdditional commentsHi, Trevor.

    As we have already created an enhancement request in the HCL #Dominoforever Product Idea Portal.

    Our development team in future releases will come up with a plan, provided it is not hampering any existing functionality of Notes.~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Admin
    Thomas Hampel commented
    15 Sep 03:49pm
    If you think this is causing any form of vulerability, please immediately report this to PSIRT by opening a ticket. The ideation forum is not the right place for these kind of submissions.

    https://www.hcltechsw.com/resources/psirt