|
Recently, Lotus posted five potential security alerts on their web site (www.lotus.com/security). The list is below, along with my comments about each.
Long String of UNICODE 430 Characters Reported to Cause Denial of Service on Domino Web Server -- This vulnerability was reported by iDEFENSE. Lotus was not able to reproduce it with any version of Domino and therefore did not fix it. Please let me (Chuck) know directly if you believe this vulnerability is real and/or if you are able to exploit it.
CERT VU#699798 - Lotus Domino allows HTTP header injection -- This exploit, while verified by Lotus, requires an attacker to create and install a maliciously coded application on a Domino server. It is low risk, in my opinion.
Potential Denial of Service Vulnerability During Notes Authentication -- This vulnerability was verified by Lotus, and relates to the way user authentication data is passed between Domino and a Notes client. It is possible to use this exploit to crash the server. Lotus and Symantec (who found the issue) have released no details about the vulnerability, so I cannot determine how serious the threat is. Because it involves the NRPC protocol between Notes and Domino, I suspect it is hard to exploit.
Buffer Overruns in Certain Date Fields Cause Domino Server Crash -- This is probably the most serious vulnerability of the set. An attacker can cause a server crash by submitting bad data to an editable date field in a Domino web application.
Potential Denial of Service Vulnerability in Notes Client -- This exploit requires an attacker to edit a user's NOTES.INI file on a workstation. I believe it is a very low risk exploit, but Lotus has fixed the problem.
Releases 6.0.5 and 6.5.4 address all of these issues. I encourage readers to perform this upgrade.
« Chuck Connell » |
|
This hasn't come up in a while, but someone wanted to validate a rich text field in a recent project. There are a couple ways to do it, and it depends on what you are trying to validate - text and/or other items like attachments or links. This tip talks about the different ways to validate a rich text field.
« Breaking Par » |
|
Recently I wrote an agent that I knew was going to take a lot of memory while running. In an effort to save as much memory as possible, I decided to use the Byte data type for small numbers instead of the Integer data type. If you're going to use that data type, there's something you should know...
« Breaking Par » |
|
There is a Notes.ini setting you can use to disable the properties box from automatically appearing when you open a design element in Domino Designer, like a view or an agent: DesignNoInitialInfobox=1...
« Michael Sobczak » |
|
This article describes how you can work with file attachments in Lotus Connectors LotusScript Extension (LCLSX). We show how LCLSX handles file attachments and present a sample application to demonstrate file attachment processing...
« Andre Guirard » |
|
We conclude our two-part series on troubleshooting Domino application performance with a look at new tools introduced in Lotus Notes/Domino 7 that can help you identify potential performance issues in your applications...
« Julie Kadashevich/Raphael Savir » |
|
Learn how to build an application that reads data out of SAP and places it into a Domino database, using powerful tools such as Lotus Enterprise Integrator, Domino Enterprise Connection Services, and Lotus Connectors LotusScript Extension...
« Scott Morris » |
|
See how significantly your Domino Web Access client performance can improve with the release 6.5.3 hotfix (included in Domino Web Access 6.5.4 and later). Administrators and users learn tips to increase performance and to improve user satisfaction...
« Dana St. Clair » |
|
When it comes to application performance, faster is better. In part one of this series, we offer a tried-and-true method for troubleshooting application performance with a real-life example of how we applied this process to a customer's application...
« Julie Kadashevich/Raphael Savir » |
|
Long String of ASCII 430 Characters Reported to Cause Denial of Service on Domino Web Server
CERT VU#699798 - Lotus Domino allows HTTP header injection
Potential Denial of Service Vulnerability During Notes Authentication
Buffer Overruns in Certain Date Fields Cause Domino Server Crash
Potential Denial of Service Vulnerability in Notes Client
« IBM/Lotus » |
|
Most developers know that if you are looking up a value with @DbLookup and provide a key that doesn't exist, Notes will give you an "Entry not found in index" error message. But what about other scenarios? For example, what happens if you look up a key that does exist, but retrieve a value from a field that doesn't exist? This tip covers several possibilities, and lets you know the results...
« Breaking Par » |
|
Eletronic GA Customers can get the code from their Passport Site. BPs can download from Partnerworld...
« IBM/Lotus » |
|
There are a total of 2137 keywords in the database. There are 1 new or updated entries this month...
« DRCC » |
|
Has this ever happened to you: all of a sudden you see thousands of documents that were deleted months ago back in your application. Just about everyone I know who has created an application with local replicas has seen this happen. And everyone who has seen it wants to find out who did it so they can give them 20 lashes with a wet noodle. (Or at least a replication lesson). This tip, although not fool-proof, at least helps track down the culprit...
« Breaking Par » |
|
|
|
