Article

Update: Pair of Notes/Domino vulnerabilities discovered

Eric B. Parizo, Executive Editor

Two vulnerabilities in IBM Lotus Notes and Domino have been discovered that could be exploited to conduct cross-site scripting attacks and execute malicious code on a user's system, but a security expert said neither should be considered a serious threat.

According to Secunia, the first flaw involves the exploitations of an unspecified input validation error, which can enable malicious cross-site scripting attacks against users.

The second issue, discovered originally by security firm iDefense Inc., stems from an input validation error within the Notes URL handler. It can reportedly be exploited to execute arbitrary code on a user's system by forcing a Notes client to use a remote, custom notes.ini configuration file via a universal naming convention path. That file will then point to a remote data directory containing malicious DLL files, which will be loaded onto the system.

    Requires Free Membership to View

For more information

Need help with Notes/Domino security? Ask our expert, Chuck Connell.

Learn how to find a PC that's sending spam through a Domino server.

View the Secunia bulletin.

Affected systems include Domino R6, Notes R6.x and Notes R6.x Client. Both issues have been confirmed by IBM Lotus.

Chuck Connell, president of Domino consultancy CHC-3 Consulting and operator of DominoSecurity.org, said the cross-site scripting error was discovered some time ago by IBM, but was not disclosed until it had been remedied.

"They have no news that anyone ever used this exploit, so that's a pretty good story," said Connell. "I would consider it a low vulnerability."

He said the URL handler issue is more serious, but "the attackers would really have to know what they're doing in order to exploit it."

According to IBM Lotus, both issues have been resolved in versions 6.0.4 and 6.5.2. For earlier releases, cross-site scripting can be prevented by creating a full-text index for databases that allow public access.

The URL handler error can be prevented in earlier releases if the use of Internet shares is restricted via firewall configuration or registry settings. The exploitation will also fail if the Notes client is already running on a user's workstation.

Connell added that the URL handler vulnerability can quickly be remedied by removing one line of code from the registry.

"All that [line] does is it allows people to launch Notes from a browser URL, which is a very unusual thing to do anyway."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: