New flaw discovered in Lotus Domino

Administrators were left with potentially insecure email servers after a new exploit was discovered in Lotus Domino.

A BugTraq member said: "Design flaws in Lotus Notes databases mean that a user with sufficient knowledge can craft a Lotus Notes email in such a way that the recipient only has to open or view the email to become infected or run arbitrary code."

The problem was tracked to the way that Lotus Notes allows developers to create forms that, unlike normal email, do not rely on a specific template in a database, but instead uses its own built-in templates that travel inside the document-stored forms.

A Lotus Notes developer could create an email-enabled worm specifically for Lotus Notes networks, which could delete files or change permissions on mail files. The default mail settings automatically allow the reception of these stored forms. A second BugTraq member claimed that by using LotusScript he was able to remotely reboot a user's computer.

The worry is that this could be used to simply copy and paste the Melissa virus into a Lotus Notes email and infect this environment as well as send the infected email externally.

The current advice is to make sure that the Execution Control List (ECL) is configured properly. This list only enables trusted parties to execute code on a remote computer. Unfortunately, the ECL has only been publicised since Release 5 and older systems are likely to remain open.

It was also claimed that the Lotus Notes domain could be created while the coder poses as 'Lotus Notes Template Development/Lotus Notes'. The ECL on all Lotus systems automatically accepts this.

Lotus was unavailable for comment.

First published in Network News

See also:

Napster-type services threatened by virus

A new type of virus has been discovered which affects machines on the ever-growing network of file sharing systems such as Gnutella and Napster.  27 Feb 2001

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!