News Stay informed about the latest enterprise technology news and product updates.

Vulnerability found in Lotus Notes for Linux

A configuration problem in Lotus Notes for Linux could expose files to malicious eyes.

A local vulnerability in a Lotus Notes for Linux configuration file could allow a malicious user to manipulate...

the values of essential configuration parameters and gain access to files.

When installing Lotus Notes for Linux, the default permissions for the "notesdata/notes.ini" configuration file are "666". This gives malicious local users the ability to open the file, change the values of configuration parameters and save them. The local copy of Notes would then run using these altered parameter values, which could cause Notes to operate improperly and possibly destroy or alter data.

Administrators should set permissions on the configuration file so that unauthorized users can't write to the file.

This vulnerability exists in Lotus Notes 6.0.2, and it may exist in other versions. Lotus Notes version 6.x has exhibited other vulnerabilities in the past, including a buffer overflow when handling long .zip file names, a heap overflow with long HTTP status lines, and an error in the Java Virtual Machine.

The vulnerability was discovered by a coder known as l0om who requested anonymity. l0om is a member of a team of security researchers that maintains the German Web site

"There are faulty default permissions for the important configuration file notesdata/notes.ini. [The permissions are] rw-rw-rw-," l0om said. "We could modify CleanupScriptPath to a binary in our $HOME, which could spawn a suid shell next time cleanup is executed. We could change NotesProgram to some directory in our $HOME. Notes will try to find a binary in our fake directory, which could spawn a suid shell for us."

Dig Deeper on Alternative operating system security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.