http://www.ibm.com/software/lotus/support Listing of security support documents en-us Copyright 2008 IBM Corporation lotussupport_webteam@us.ibm.com http://www.ibm.com/software/lotus/support/images/lotus-logo.gif http://www.ibm.com/software/lotus/support There is a potential cross-site scripting (XSS) vulnerability in the servlet engine/Web container in Lotus Domino Web servers. This issue has been addressed in Lotus Domino releases 7.0.3 Fix Pack 1 (FP1) and 8.0.1. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21303296&ca=wplcsecurity MWR InfoSecurity contacted IBM Lotus to report a potential denial of service vulnerability with the Lotus Domino Web server. This issue has been addressed in Lotus Domino releases 7.0.3 Fix Pack 1 (FP1) and 8.0.1. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21303057&ca=wplcsecurity TippingPoint's Zero Day Initiative contacted IBM Lotus to report a potential stack overflow vulnerability with the IBM Lotus Sametime Community Services multiplexer (MUX). The issue is fixed in Sametime 8.0.1 and in hotfix ICAE-7DPP83 for Sametime 7.5.1 Cumulative Fix 1 (CF1).http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21303920&ca=wplcsecurity IBM Lotus was made aware of a potential vulnerability in Lotus Symphony which utilizes Lotus Expeditor code that may allow an attacker to execute malicious code on a user's workstation under certain circumstances.http://www-1.ibm.com/support/docview.wss?rs=3366&uid=swg21303813&ca=wplcsecurity Secunia contacted IBM Lotus to report several potential buffer overflow vulnerabilities in the Lotus Notes File viewers. These issues are relative to the following file attachment types: Applix Presents (.ag), Folio Flat File (.fff), HTML speed reader (.htm), KeyView document viewing engine and text mail (MIME) http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21298453&ca=wplcsecurity Mikkel Heisterberg contacted IBM Lotus to report a security concern with the notes.jar file. http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21248025&ca=wplcsecurity Andrew Christiansen contacted IBM Lotus to report a potential vulnerability in unauthenticated transactions using the Notes Remote Procedure Call (NRPC) protocol on port 1352.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21248026&ca=wplcsecurity iDEFENSE contacted IBM Lotus to report two potential overflow vulnerabilities in the tunekrnl file used by IBM Lotus Domino on Linux operating systems.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21249173&ca=wplcsecurity Secunia contacted IBM Lotus to report a potential vulnerability regarding default install permissions in the Lotus Notes client on Windows. http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21246773&ca=wplcsecurity Under certain circumstances, replying to email messages in which identical user names were entered in both the To and cc fields may result in the values contained in the AltCopyTo and INetCopyTo fields being out of sync with the CopyTo field.http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21243602&ca=wplcsecurity Is Lotus Notes vulnerable to the DynaZip issue reported in CERT VU# 582498?http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229932&ca=wplcsecurity Under certain circumstances, replying to email messages sent from or to users with alternate names, which have been edited after saving, may send the message to users whose names were deleted from the To, cc, or bcc fields. Similarly, upon receipt of messages where alternate names are used the To, cc, and bcc fields may contain names previously deleted, despite the fact the message was never delivered to those names. http://www.ibm.com/support/docview.wss?rs=475&uid=swg21240386&ca=wplcsecurity Under particular circumstances, an attacker may be able to craft a malicious message that will cause the Router to hang while trying to deliver it. The Router task will consume 100% CPU and new mail will not be delivered until the message has been deleted. The Domino server does not crash. Stopping and restarting the server will not resolve the problem as the message will still be in the queue. The message must be deleted for the Router to resume normal functioning. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21211952 Rapid7 Inc. reported a possible Denial of Service issue with the Web Retriever process on the Domino server and Notes client. The Web Retriever process allows Notes users to access web servers and retrieve content either locally from their Notes workstation or from a Domino server running the Web Retriever task.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21105060&ca=wplcsecurity Rapid7, Inc. has reported a buffer overflow condition during authentication to the Domino server using the Notes protocol (NRPC). This can cause the Domino server to crash, causing a Denial of Service. The problem was demonstrated on the TCP/IP port (1352), but could theoretically impact other ports configured for use by Notes, such as NETBIOS, SPX or XPC. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21105101&ca=wplcsecurity A potential buffer overflow problem has been identified during authentication to a Lotus Domino Web Server. When logging to DOMLOG.NSF is enabled on the server and the Domino Server processes a long HTTP Authenticate header containing certain non-ASCII characters, the server may crash. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21095910&ca=wplcsecurity It has been reported that some oddly-formed envelopes for SMTP messages cause a mail routing loop that consumes 100% of the CPU on a Domino SMTP 5.x server. This issue requires the removal of these messages from MAIL.BOX to free the server from repetitive looping. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21100797&ca=wplcsecurity Lotus Domino on UNIX platforms is vulnerable to a flaw that can allow a local attacker to gain root privileges. The problem is due to insufficient bounds checking with the PATH environment variable. An attacker can use a PATH that, when processed, will execute arbitrary code. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21100441&ca=wplcsecurity Lotus Domino is vulnerable to a buffer overflow condition that allows a local attacker to gain root privileges. The problem is due to insufficient bounds checking for the Notes_ExecDirectory environment variable. An attacker can use a string for Notes_ExecDirectory that, when processed, will execute arbitrary code. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21095569&ca=wplcsecurity Bugtraq reports that if a user submits an HTTP request for a nonexistent .pl file, the server returns a 500 error page containing the full path of the file. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21084812&ca=wplcsecurity CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMPv1) reported a class of vulnerabilities with SNMP. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21086705&ca=wplcsecurity Bugtraq reports that the Domino Web server authentication process may be bypassed if a remote request for the file is submitted with a maliciously constructed filename of a given length. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21085077&ca=wplcsecurity Bugtraq has reported that a remote user can determine the validity of a user name by issuing a GET request for a user's mail file. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21086919&ca=wplcsecurity Bugtraq reported that the Domino Web server does not handle URL requests for DOS-Devices (such as CON, AUX, PRN) correctly. This vulnerability can be exploited by a malicious user to bring down the Web server. This vulnerability affects the Domino Web server running on Windows platforms. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21097574&ca=wplcsecurity If a SunRPC NULL command is sent to the Domino server on port 443, the HTTP task will hang and stop accepting new connections. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21090260&ca=wplcsecurity A Bugtraq posting reports that access to databases on the Domino Web server can be disabled by sending a particular malformed URL to the server. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21087165&ca=wplcsecurity NGSSoftware Insight Security Research issued an advisory on 29-Oct-2001 regarding access to the Web Administrator Template. The advisory identified several areas of concern. The following describes actions taken by Lotus in response to these concerns as well as a set of recommendations for customers. Access to the Web Administrator template by anonymous users. Prior to R5.0.9, the "Default" level of access assigned for the Web Administrator (webadmin.ntf) template is "Reader." In R5.0.9, SPR# K http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg27003151&ca=wplcsecurity NGSSoftware Insight Security Research issued an advisory on 29-Oct-2001 regarding the $DefaultNav syntax used by the Domino Web Server. The advisory expressed concern that the syntax may be used to gain unintended access to documents. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21090452&ca=wplcsecurity NGSSoftware Insight Security Research issued an advisory on 29-Oct-2001 regarding the usage of View ACLs used by the Domino Server. The advisory expressed concern that these controls may be circumvented and result in granting users unintended access to documents. http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21093244&ca=wplcsecurity Documents stored in databases may have one or more objects associated with them. These objects are stored in the database separately from the document, though the UI makes them appear to be part of the document. Access control to documents in a database is controlled by the database ACL, but that access can be modified on a document by document basis through the use of Reader and Author lists. The issue is that Reader and Author lists modify access only to the document itself and not to any attached objects. For example, a document that contains a file attachment and a Reader list will not be accessible to users that are not in the Reader list. This holds true for the Notes client and for a C API program. However, the C API program will be able to access the file object with NSFDbReadObject if the Object ID of the file object is known to the program.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21099785&ca=wplcsecurity If domain restrictions are configured on the Domino R5 SMTP server, it is possible for an attacker to overflow the buffer, possibly crashing the server or gaining access to the thread.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21096603&ca=wplcsecurity Lotus has been aware of the potential for malicious email messages since our early releases. We made our business partners and customers aware of methods for detecting and removing malicious email messages in our R3 release. Our R4.1 release included the ability to globally disable malicious code. In 1996, we released our version 4.5, which included a "sandbox" and a PKI-based authorization mechanism, which we call Execution Control Lists, for native Notes programs. We did this before such mechhttp://www-1.ibm.com/support/docview.wss?rs=475&uid=swg27003195&ca=wplcsecurity An HTML message containing malformed HTML code can cause the router or server process to crash when a Domino R5 server converts the message.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21099188&ca=wplcsecurity This document is intended to address the "Domino Server Directory Traversal Vulnerability" reported at http://www.securityfocus.com. This information will also be posted to the Lotus Security Zone web site at http://www.lotus.com/security. What is the nature of the vulnerability? Given a known path and file name, files may accessed from a Domino server running the HTTP task. This is limited to the file system (or drive) on which the Domino server is installed. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg27003433&ca=wplcsecurity Lotus Response to Reported Security Vulnerability Reported Issue: In a recent post to an Internet mailing list, the author asserts that, regardless of Access Control List (ACL) settings, anyone who can intercept network packets between a Notes client and Domino server can circumvent the ACL and gain access to another user's mail file. Lotus Response: We have thoroughly investigated this claim and have determined it to be false. The Domino server checks and enforces the ACL for each request base.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg27003215&ca=wplcsecurity In your mail database, you select "Add Sender to Address Book" from [Actions -Tools] Menu. Under some circumstances, the wrong Alternate name information is stored in your Personal Address Book.http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21232945&ca=wplcsecurity A specially crafted bind request sent to the LDAP server port can result in a Lotus Domino server crash.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21229907&ca=wplcsecurity Secunia contacted IBM Lotus to report five buffer overflow vulnerabilities and one directory traversal vulnerability in the KeyView viewers used in Lotus Notes 6.x and 7.0. To successfully exploit these issues, an attacker would need to send a specially crafted file attachment to users, and the users would have to double-click and "View" the attachment. The issue is relative to the following attachment types: html pages, zip, tar and uud.http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918&ca=wplcsecurity Secunia contacted IBM Lotus to report several script insertion vulnerabilities in Lotus Domino Web Access.http://www-1.ibm.com/support/docview.wss?rs=3024&uid=swg21229919&ca=wplcsecurity Is Lotus Notes affected by the Windows Meta File vulnerability reported in Microsoft Security Advisory # 912840 (Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution)?http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21227004&ca=wplcsecurity The Domino autoframe feature uses the Src argument of the OpenFrameSet command; this argument is not intended for general use. An enhancement request was made to limit the use of the Src argument to the design notes in the same database as the frameset being opened.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21211961&ca=wplcsecurity Information about the PasswordDigest field stored in Person documents in the Domino Directory and whether it contains a hashed value of the user's Notes ID password.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21215256&ca=wplcsecurity An advisory from CYBSEC raises three configuration issues that are discussed in this technote.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21212934&ca=wplcsecurity On July 6, 2005, Shalom Carmel posted a vulnerability alert to Bugtraq titled "Cross site scripting in Lotus Notes web mail". This issue affects users who access the standard Notes mail template(s) from a Web client.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21211783&ca=wplcsecurity iDEFENSE has reported that sending a long string of UNICODE decimal value 430 characters to the Lotus Domino Web server will cause the server to stop responding. Is this a vulnerability?http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202446&ca=wplcsecurity Juan C Calderon reported an issue where it is possible for the @SetHTTPHeader function to be misused to inject content into the header. The @SetHTTPHeader function is only available to application developers. This vulnerability requires that the attacker have access to install a rogue application on the server in order to execute this code. The impact of the vulnerability, if exploited, is HTTP response splitting or browser/proxy cache poisoning.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202437&ca=wplcsecurity Ollie Whitehouse of Symantec reported a format string vulnerability during authentication to the Lotus Domino 6.x servers using the Notes protocol (NRPC). http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202525&ca=wplcsecurity Mark Litchfield of NGS Software reported a buffer overflow condition that can occur when submitting a large amount of data to certain time/date fields that can be updated from the Web.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202431&ca=wplcsecurity Ollie Whitehouse of Symantec reported a buffer overflow condition in the NOTES.INI on the Lotus Notes client, which if exploited could cause the client to crash. http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21202526&ca=wplcsecurity On October 18, 2004, Juan C Calderon posted a vulnerability alert to Bugtraq titled IBM Lotus Notes/Domino fails to encode Square Brackets( [ ] ). Is this a vulnerability in the IBM Lotus Domino server?http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833&ca=wplcsecurity Does Microsoft Security Bulletin MS04-028: "Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)" affect IBM Lotus software Customers?http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21180145&ca=wplcsecurity Response to the security advisory posted by the UK National Infrastructure Security Co-ordination Centre (NISCC) titled " NISCC Vulnerability Advisory 380375/MIME". Is Lotus Domino vulnerable to the security advisory posted by the UK National Infrastructure Security Co-ordination Centre (NISCC) titled "NISCC Vulnerability Advisory 380375/MIME"? The advisory address is as follows: http://www.uniras.gov.uk/vuls/2004/380375/mime.htm http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21181350&ca=wplcsecurity Jouko Pynnonen has reported three potential vulnerabilities in the handling of Java applets in the Lotus Notes 6.0x and 6.5x clients to IBM Lotus.http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21173910&ca=wplcsecurity A posting to Bugtraq reports that an attacker can craft and send a malicious email that will cause the Domino Server to crash if viewed using the Domino Web Access client. The body of the email must be 12 MB or greater. The original advisory address is as follows: http://www.securityfocus.com/bid/10641 Additional advisories containing the same information have been also been posted on various sites.http://www-1.ibm.com/support/docview.wss?rs=3024&uid=swg21173969&ca=wplcsecurity A recent Bugtraq posting reported an issue with IMAP users having the ability to change the database quota on their own mail file via Telnet.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21173947&ca=wplcsecurity InfoScreen has published an advisory showing an increased risk of a brute force attack under particular circumstances.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21165495&ca=wplcsecurity A potential denial-of-service vulnerability can be triggered by certain malformed Secure Sockets Layer (SSL) records causing IBM® Global Security Toolkit (GSKIT) component to fail and thereby causing the application to terminate. Does this potential vulnerability affect IBM Lotus Instant Messaging and Web Conferencing (Sametime)?http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21169383&ca=wplcsecurity IBM Lotus recognized the potential for a cross-site scripting vulnerability to exist under certain circumstances. No customers are known to have been affected by this vulnerability in a production environment.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21171253&ca=wplcsecurity Jouko Pynnonen, in association with iDEFENSE, reported a vulnerability in the Lotus Notes 6.x client that may allow an attacker to execute malicious code on the user's workstation under certain circumstances.http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21169510&ca=wplcsecurity Is Lotus Domino vulnerable to the issues reported in the security advisory posted by Dr_insane titled IBM Lotus Domino server 6.5.1 webadmin.nsf vulnerabilities?http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21163845&ca=wplcsecurity A recent advisory reports that the file permissions for certain Lotus Domino configuration files, such as notes.ini, are set incorrectly upon installationhttp://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21157675&ca=wplcsecurity Response to the security advisory posted by the UK National Infrastructure Security Co-ordination Centre (NISCC) titled " Vulnerability Issues in Implementations of the S/MIME Protocol". http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21149731&ca=wplcsecurity Response to the security advisory posted by the UK National Infrastructure Security Co-ordination Centre (NISCC) titled " Vulnerability Issues in Implementations of the TLS and SSL Protocols."http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21140778&ca=wplcsecurity Several security advisories have been published reporting vulnerabilites in how encryption is handled in the Sametime client. How has IBM Lotus addressed these reported vulnerabilities?http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg21116333&ca=wplcsecurity A Bugtraq posting titled, Lotus Domino DOT Bug Allows for Source Code Viewing suggests that the Domino web server is vulnerable to a problem that allows a user to download files from the server. Is this true?http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21105273&ca=wplcsecurity Is Lotus Domino vulnerable to the Remote Buffer Overflow in Sendmail, reported by ISS and CERT?http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21105059&ca=wplcsecurity Customers have reported instances where their Lotus Domino server was a target for an SMTP denial-of-service attack.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21105201&ca=wplcsecurity Lotus Domino Web Access is subject to a buffer overflow vulnerability when a maliciously crafted URL contains an overly long value for certain parameters.http://www-1.ibm.com/support/docview.wss?rs=3024&uid=swg21104527&ca=wplcsecurity This document describes a denial of service attack possible for the Domino HTTP task with overly long POST requests.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21104528&ca=wplcsecurity Lotus Domino is subject to a buffer overflow vulnerability when performing a redirect operation under certain circumstances. This vulnerability can be exploited by a malicious user to bring down the Web server.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21104529&ca=wplcsecurity Lotus iNotes Web Access may be vulnerable to buffer overruns when certain malformed URLs are submitted.http://www-1.ibm.com/support/docview.wss?rs=3024&uid=swg21104542&ca=wplcsecurity The Lotus Domino Server is vulnerable to an intermittent problem with a script or control invoking a specific backend COM class method with an intentionally very long parameter string.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21104543&ca=wplcsecurity SecurityBugware has posted an advisory regarding the execution of embedded objects in Lotus Notes mail messages upon reading the message.http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21091186&ca=wplcsecurity While conducting a security audit on a Lotus Domino web application, a customer discovered a cross site scripting vulnerability and reported it to IBM Lotus.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21217285&ca=wplcsecurity