Home > Domino News > Update: Pair of Notes/Domino vulnerabilities discovered
Domino News:
EMAIL THIS

Update: Pair of Notes/Domino vulnerabilities discovered

By Eric B. Parizo, News Editor
24 Jun 2004 | SearchDomino.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Two vulnerabilities in IBM Lotus Notes and Domino have been discovered that could be exploited to conduct cross-site scripting attacks and execute malicious code on a user's system, but a security expert said neither should be considered a serious threat.

According to Secunia, the first flaw involves the exploitations of an unspecified input validation error, which can enable malicious cross-site scripting attacks against users.

The second issue, discovered originally by security firm iDefense Inc., stems from an input validation error within the Notes URL handler. It can reportedly be exploited to execute arbitrary code on a user's system by forcing a Notes client to use a remote, custom notes.ini configuration file via a universal naming convention path. That file will then point to a remote data directory containing malicious DLL files, which will be loaded onto the system.

For more information

Need help with Notes/Domino security? Ask our expert, Chuck Connell.

Learn how to find a PC that's sending spam through a Domino server.

View the Secunia bulletin.
Affected systems include Domino R6, Notes R6.x and Notes R6.x Client. Both issues have been confirmed by IBM Lotus.

Chuck Connell, president of Domino consultancy CHC-3 Consulting and operator of DominoSecurity.org, said the cross-site scripting error was discovered some time ago by IBM, but was not disclosed until it had been remedied.

"They have no news that anyone ever used this exploit, so that's a pretty good story," said Connell. "I would consider it a low vulnerability."

He said the URL handler issue is more serious, but "the attackers would really have to know what they're doing in order to exploit it."

According to IBM Lotus, both issues have been resolved in versions 6.0.4 and 6.5.2. For earlier releases, cross-site scripting can be prevented by creating a full-text index for databases that allow public access.

The URL handler error can be prevented in earlier releases if the use of Internet shares is restricted via firewall configuration or registry settings. The exploitation will also fail if the Notes client is already running on a user's workstation.

Connell added that the URL handler vulnerability can quickly be remedied by removing one line of code from the registry.

"All that [line] does is it allows people to launch Notes from a browser URL, which is a very unusual thing to do anyway."

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Lotus Notes Server Solutions - Quickr, Domino Server, Websphere
HomeTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersDomino IT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 1999 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts