Two vulnerabilities in IBM Lotus Notes and Domino have been discovered that could be exploited to conduct cross-site scripting attacks and execute malicious code on a user's system, but a security expert said neither should be considered a serious threat.
According to Secunia, the first flaw involves the exploitations of an unspecified input validation error, which can enable malicious cross-site scripting attacks against users.
The second issue, discovered originally by security firm iDefense Inc., stems from an input validation error within the Notes URL handler. It can reportedly be exploited to execute arbitrary code on a user's system by forcing a Notes client to use a remote, custom notes.ini configuration file via a universal naming convention path. That file will then point to a remote data directory containing malicious DLL files, which will be loaded onto the system.
Chuck Connell, president of Domino consultancy CHC-3 Consulting and operator of DominoSecurity.org, said the cross-site scripting error was discovered some time ago by IBM, but was not disclosed until it had been remedied.
"They have no news that anyone ever used this exploit, so that's a pretty good story," said Connell. "I would consider it a low vulnerability."
He said the URL handler issue is more serious, but "the attackers would really have to know what they're doing in order to exploit it."
According to IBM Lotus, both issues have been resolved in versions 6.0.4 and 6.5.2. For earlier releases, cross-site scripting can be prevented by creating a full-text index for databases that allow public access.
The URL handler error can be prevented in earlier releases if the use of Internet shares is restricted via firewall configuration or registry settings. The exploitation will also fail if the Notes client is already running on a user's workstation.
Connell added that the URL handler vulnerability can quickly be remedied by removing one line of code from the registry.
"All that [line] does is it allows people to launch Notes from a browser URL, which is a very unusual thing to do anyway."