ARRAS, seit 938 N e w s 4 N o t e s
Home  |  Sitemap  |  Links    
.: News4Notes :: 29.04.2005 :: 18:28 :: Lotus Notes and Domino News :.
DominoSecurity newsletter -- Five security alerts from Lotus
Send link  |  Feedback  |  Print



« U T I L I T I E S »

RSS news 2.0
RSS validate
RSS tips 2.0
RSS validate
OPML domino
Find RSS
ND6 powered
DDN hosted
CAR designed
GEO url
open NTF
Lotus Geek





by Chuck Connell

Recently, Lotus posted five potential security alerts on their web site (www.lotus.com/security). The list is below, along with my comments about each.
Long String of UNICODE 430 Characters Reported to Cause Denial of Service on Domino Web Server -- This vulnerability was reported by iDEFENSE. Lotus was not able to reproduce it with any version of Domino and therefore did not fix it. Please let me (Chuck) know directly if you believe this vulnerability is real and/or if you are able to exploit it.
CERT VU#699798 - Lotus Domino allows HTTP header injection -- This exploit, while verified by Lotus, requires an attacker to create and install a maliciously coded application on a Domino server. It is low risk, in my opinion.
Potential Denial of Service Vulnerability During Notes Authentication -- This vulnerability was verified by Lotus, and relates to the way user authentication data is passed between Domino and a Notes client. It is possible to use this exploit to crash the server. Lotus and Symantec (who found the issue) have released no details about the vulnerability, so I cannot determine how serious the threat is. Because it involves the NRPC protocol between Notes and Domino, I suspect it is hard to exploit.
Buffer Overruns in Certain Date Fields Cause Domino Server Crash -- This is probably the most serious vulnerability of the set. An attacker can cause a server crash by submitting bad data to an editable date field in a Domino web application.
Potential Denial of Service Vulnerability in Notes Client -- This exploit requires an attacker to edit a user's NOTES.INI file on a workstation. I believe it is a very low risk exploit, but Lotus has fixed the problem.
Releases 6.0.5 and 6.5.4 address all of these issues. I encourage readers to perform this upgrade.
« Read the full article... »

.: News4Notes :: Lotus Notes and Domino News :: News4Notes :.
Daily technical Lotus Notes and Domino News at news4notes.com or as RSS feed at rss.news4notes.com...