PermaLink Wait, I LIKE Domino Web Administrator!11/13/2013 12:52 PM
Domino
That's just great, instead of just fixing the problem, throw the thing away. Thanks, IBM

I was enormously disappointed in IBM's announcement the other day that they're deprecating the use of Domino Web Administrator. Apparently they found that all current versions (and likely earlier ones) are vulnerable to a form of cross-site scripting hack, so rather than figure out the problem and fix it, they appear to be simply shit-canning it.

At a time when they're pushing MOBILEMOBILEMOBILE, and "bring your own device" through every possible orifice of their being, this is beyond stupid and becomes suspicious.

Their official workaround is, "use the fully-functional Domino Administrator Client." They do suggest that using the tool as the only session in a given browser mitigates the threat, which seems simple enough to do until they implement a fix. However, it appears they've chosen to shit-can the tool rather than fix it.

Sure, use the Notes Administrator Client Which, as we all know, is only available on Windows. Those of you who have to resolve an urgent problem late at night on a high-end smartphone, tablet, a non-Windows laptop, or on a borrowed machine at a client site, the business center at your hotel on vacation, or at Grandma's house, well, you can just go pound salt.

Or, as I likely will do, I'll go ahead and use WebAdmin anyway. It's worked decently for years (yeah, I'm well aware of its shortcomings, but it's saved my ass far more times than it's caused problem, and I am likely not the only one for whom this is the case) and it will probably continue to work decently for years. However, IBM can now absolve itself of any potential harm you suffer simply because they don't seem to want to fix a problem.

I haven't delved into the NSF, so I don't know the details about the low-level nature of the solution, or the real extent of the risk. ISS and SecurityFocus (see links in the security bulletin linked above) seem to assign it a pretty low level of risk, but I suppose something bad could happen if you had a really inexperienced admin who wasn't used to using DWA. Beyond this, I wouldn't hold my breath waiting for IBM to provide enough details about the potential exploit to allow the community (or customers who now depend on WebAdmin to get work done every day) to resolve it on their own. I can understand why they'd choose not to detail the exploit.

However, at this time, when their entire focus seems to be on universal access and mobility, it's beyond asinine to basically say, "go to one specific client on one specific computing device running one specific operating system, and work from that and that alone, and if you can't, let the mofo burn to the ground."

We were supposed to be moving the other way, folks.

This page has been accessed 952 times. .

Links
Other stuff to waste your time:
Weightless Dog
My YouTube videos
My Head Talking
Today's Poll
PlanetLotus
Recent Entries
The BlogRoll
Calendar
No calendar found.
Monthly Archive
Lotus Domino ND8 RSS News Feed RSS Comments Feed RSS Validator Blog Admin Lotus Geek OpenNTF BlogSphere
Say hi