|
Vulnerability Lotus Notes Affected Systems running Lotus Notes 4.6+ Client Description Following info is based on L0pht Advisory. Versions 4.6+ of the Lotus Notes Client appear to be vulnerable; lower version may also be vulnerable but at this time are untested. The vulnerability affects companys that use Lotus Notes primarily for development purposes or as an Intranet. Also any servers that were distributed with the Lotus Notes Client that are not running the HTTPD task by default are vulnerable. Note: This assumes Domino servers have been patched due to previous advisory (see mUNIXes area). Additionally, previous vulnerabilities (web users can write to remote server drives and change server configuration files), now come into play once more with the addition of the vulnerability in the Notes Client. No new vulnerability exists in Lotus Domino that run the HTTP task by default. Remote intruders can potentially retreive: in development databases, confidential company records, etc etc. All of the above can be achieved by connecting to a vulnerable Notes Client. To test (from within Lotus Notes 4.6+ Client): 1. Open any given database 2. Click Actions -> Preview in Web Browser This should have launched your designated web browser and connected to http://199.99.99.99/database or something similar. Even though you only have the Notes Client installed on the machine and not the server, the HTTPD task is now running and accepting connections on port 80. Thus anyone on the Internet could then do http://199.99.99.99/domcfg.nsf/?open or even http://199.99.99.99 (to get a listing of the available databases). Subsequently you could open the log and see the database(s) the given user was recently accessing or modifying. From this point you can search around and basically manipulate documents that do a wide variety of things. Domino URL commands (which can be used to edit, delete, and manipulate files via the web) can be found in all documentation as well as at: http://www.notes.net/today.nsf/cbb328e5c12843a9852563dc006721c7/ca5230f9baf39fe1852564b5005e8419 Solution ACLs need to be edited manually by a competent admin to be ensured of security. Take, for example, if domlog.nsf could be read, that alone is a security breech. Setup routing filters to dissallow access to the http port of Notes Client only machines.