A quarter of European Web sites using the Lotus Domino server are open to attack from hackers because of poor implementation.
Using a simple probe, researchers at 'Computing'?s sister paper 'CM Corporate' in Belgium accessed 840 Domino-based sites, including some run by the Open University, an Irish bank, the Dutch police, publisher IDG and even IBM.
Domino, launched in 1996, is a Web enabled version of Lotus Notes. It allows users to distribute access to Notes across the Web.
If Domino users do not set up their sites properly, outsiders have only to add ?names.nsf? or ?catalog.nsf? to the Web address to access internal domains and databases through the Internet.
'CM Corporate' tested 3,230 European servers with a program that checked whether the ?names.nsf? file of a Domino server was closed or open. A quarter were open, including around 100 sites in the UK.
Grant Pearson of the Lotus User Group said: "There is good security in Domino. The problems are down to poor implementation. You have to fix the access control properly."
Victor Aberdeen, Lotus UK manager responsible for Domino, said the problem was "down to the administration of the site. We have the best security on the market, but it has to be set up properly".
After the issue came to light in January, Lotus published advice about access control on its Web site. The recommendations still stand, said Aberdeen.
Pearson said it takes more than guidelines on a Web site to solve the problem.
"You need simpler advice for people, such as 10 bullet points on how to set this up right. It is just too complicated for people," he said.
Notes was conceived as a closed program that uses multiple databases. When access is allowed via the Web, care is required in setting up the access control lists (ACLs). They contain high levels of detail on who is given access to which database. A Domino server that is connected to the Internet can be perfectly secure.
But the system manager must set up the ACLs. If not, in most cases Domino sets up the rights in such a way that access to all databases can be granted, and in some cases even amended. This may not be a problem in a closed environment such as a Lan, but can be disastrous on the Internet.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago