On the heels of earlier iDefense Labs Inc. reports of Domino DoS vulnerabilities, security software service provider and Web information clearing house Secunia.com has posted news of a number of security-related flaws in Domino. The flaws largely concern pre-Domino 6.5.4 version software, and fixes are available, according to Domino-maker IBM.
According to Secunia, and IBM, which issued report updates on all the relevant vulnerabilities, the problems include use of the @SetHTTPHeader function to inject content into headers.
Other problems noted were:
- A buffer overflow condition that can occur when submitting a large amount of data to certain time/date fields that can be updated from the Web;
- An boundary error in NOTES.INI on a Lotus Notes client that can be exploited to cause a buffer overflow; and,
- A format string error in the Domino server that can occur when handling authentication using the NRPC Notes protocol if it is fed certain strings and format specifiers.
The earlier vulnerability reported by iDefense Labs Inc., a seven-year-old provider of security intelligence services, centered on a denial of service (DoS) vulnerability in a Lotus Domino Server 6.5.1 Web service that allows attackers to crash the service. The problem was said to exist within the module NLSCCSTR.DLL.