News Stay informed about the latest enterprise technology news and product updates.

Update: Pair of Notes/Domino vulnerabilities discovered

New Notes and Domino security flaws could be exploited to conduct cross-site scripting attacks and compromise some systems, but a Domino security expert says neither should be considered a major threat.

Two vulnerabilities in IBM Lotus Notes and Domino have been discovered that could be exploited to conduct cross-site scripting attacks and execute malicious code on a user's system, but a security expert said neither should be considered a serious threat.

According to Secunia, the first flaw involves the exploitations of an unspecified input validation error, which can enable malicious cross-site scripting attacks against users.

The second issue, discovered originally by security firm iDefense Inc., stems from an input validation error within the Notes URL handler. It can reportedly be exploited to execute arbitrary code on a user's system by forcing a Notes client to use a remote, custom notes.ini configuration file via a universal naming convention path. That file will then point to a remote data directory containing malicious DLL files, which will be loaded onto the system.

For more information

Need help with Notes/Domino security? Ask our expert, Chuck Connell.

Learn how to find a PC that's sending spam through a Domino server.

View the Secunia bulletin.

Affected systems include Domino R6, Notes R6.x and Notes R6.x Client. Both issues have been confirmed by IBM Lotus.

Chuck Connell, president of Domino consultancy CHC-3 Consulting and operator of, said the cross-site scripting error was discovered some time ago by IBM, but was not disclosed until it had been remedied.

"They have no news that anyone ever used this exploit, so that's a pretty good story," said Connell. "I would consider it a low vulnerability."

He said the URL handler issue is more serious, but "the attackers would really have to know what they're doing in order to exploit it."

According to IBM Lotus, both issues have been resolved in versions 6.0.4 and 6.5.2. For earlier releases, cross-site scripting can be prevented by creating a full-text index for databases that allow public access.

The URL handler error can be prevented in earlier releases if the use of Internet shares is restricted via firewall configuration or registry settings. The exploitation will also fail if the Notes client is already running on a user's workstation.

Connell added that the URL handler vulnerability can quickly be remedied by removing one line of code from the registry.

"All that [line] does is it allows people to launch Notes from a browser URL, which is a very unusual thing to do anyway."

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.