HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Add a new idea Subscribe
Status No Plans to Implement
Workspace Traveler
Created by Guest
Created on Jan 3, 2020

RELATED IDEAS

Should hide https://hostname/api/core/ for security side

From traveler R9.0.1.21, end user can anonymous access below URLhttps://hostname/api/core/

And get below info:

links 

rel "pwstats"
href "/api/core/pwstats"

rel "nonce"
href "/api/core/nonce"

rel "stats"
href "/api/core/stats"
 
Customer think it is not safe for their traveler server, they wish hide these info.
 
From traveler R11, end user access the same URL, can see the pop-up info:
Do you want to open or same core.json from hostname?
If click the save button, then the core.json file can save to the local, open it, the info as below:
{
  "links": [
        {
      "rel":"pwstats",
      "href":"\/api\/core\/pwstats"
    },
        {
      "rel":"imasettings",
      "href":"\/api\/core\/imasettings"
    },
        {
      "rel":"nonce",
      "href":"\/api\/core\/nonce"
    },
        {
      "rel":"stats",
      "href":"\/api\/core\/stats"
    }
  ]
}
  • Attach files
  • Guest
    Reply
    |     Jan 8, 2020

    I mostly disagree. The world is moving towards API first.  They also report per user which makes sense from an API point of view. Although having users be able to get to this could create noise, I don't see how this is a security issue.

     

    Our Traveler server and several client ones show the session authentication dialog and do not allow anonymous access. You've allowed anonymous access to that URL. You should block anonymous. See Thomas' comment, as well.

  • Guest
    Reply
    |     Jan 5, 2020

    What is unsave to get those statistics as a user, when you are authenticated?
    Those statistics are per user statistics.  Per user statistics can only be queried if you have an authenticated user in the first place ;-)

    So I would not see how this should be "unsave".


    Also in general a best practice for any server not providing public services, you should disable anonymous access for HTTP on server level.

     

    My traveler server does only allow HTTPS and only authenticated user access.

     

    [ Daniel Nashed  / http://blog.nashcom.de)

  • Admin
    Thomas Hampel
    Reply
    |     Jan 3, 2020

    By default, the URL's are access protected.
    Did you enable Domino Access Services on this machine?

  • Guest
    Reply
    |     Jan 3, 2020

    And below URL also can be accessed by anonymous 

    https://hostname/api/

     

    End users can get below info:

    services  
    0  
    name "Calendar"
    enabled false
    version "9.0.1.v10_00"
    href "/api/calendar"
    1  
    name "FreeBusy"
    enabled false
    version "9.0.1.v10_00"
    href "/api/freebusy"
    2  
    name "Core"
    enabled true
    version "9.0.1.v10_00"
    href "/api/core"
    3  
    name "Data"
    enabled false
    version "9.0.1.v10_00"
    href "/api/data"
    4  
    name "Mail"
    enabled false
    version "9.0.1.v10_00"
    href "/api/mail"
    5  
    name "TravelerAdmin"
    enabled true
    version "9.0.1.21"
    href "/api/traveler"
Copyright © 2023 HCL Technologies Limited