Update: Pair of Notes/Domino vulnerabilities discovered

Article

Update: Pair of Notes/Domino vulnerabilities discovered

Two vulnerabilities in IBM Lotus Notes and Domino have been discovered that could be exploited to conduct cross-site scripting attacks and execute malicious code on a user's system, but a security expert said neither should be considered a serious threat.

According to Secunia, the first flaw involves the exploitations of an unspecified input validation error, which can enable malicious cross-site scripting attacks against users.

The second issue, discovered originally by security firm iDefense Inc., stems from an input validation error within the Notes URL handler. It can reportedly be exploited to execute arbitrary code on a user's system by forcing a Notes client to use a remote, custom notes.ini configuration file via a universal naming convention path. That file will then point to a remote data directory containing malicious DLL files, which will be loaded onto the system.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

For more information

Need help with Notes/Domino security? Ask our expert, Chuck Connell.

Learn how to find a PC that's sending spam through a Domino server.

View the Secunia bulletin.
Affected systems include Domino R6, Notes R6.x and Notes R6.x Client. Both issues have been confirmed by IBM Lotus.

Chuck Connell, president of Domino consultancy CHC-3 Consulting and operator of DominoSecurity.org, said the cross-site scripting error was discovered some time ago by IBM, but was not disclosed until it had been remedied.

"They have no news that anyone ever used this exploit, so that's a pretty good story," said Connell. "I would consider it a low vulnerability."

He said the URL handler issue is more serious, but "the attackers would really have to know what they're doing in order to exploit it."

According to IBM Lotus, both issues have been resolved in versions 6.0.4 and 6.5.2. For earlier releases, cross-site scripting can be prevented by creating a full-text index for databases that allow public access.

The URL handler error can be prevented in earlier releases if the use of Internet shares is restricted via firewall configuration or registry settings. The exploitation will also fail if the Notes client is already running on a user's workstation.

Connell added that the URL handler vulnerability can quickly be remedied by removing one line of code from the registry.

"All that [line] does is it allows people to launch Notes from a browser URL, which is a very unusual thing to do anyway."