When using the Evaluate LotusScript method in conjunction with specific @
formula commands to design views and agents, it was found that unexpected
results could be returned. In specific situations, the view or agent could
return information of which the user normally would not be able to access.
These results are dependent on how the view or agent is written, and which
identify (server or user) is being used to execute the view or agent.
In the past, the security context default was the server, and thus in certain
situations the server identity would be used.
This issue was reported to Quality Engineering as SPR# KEMG6M9RAU. Starting
with Lotus Domino releases 7.0.3 and 8.0, you will be able to control the
security context with the notes.ini parameter
This notes.ini parameter can be set to the value of 0 (Don't Enforce) or 1
(Enforce) to control whether the server context or user context is used. If
this parameter is not set, then it will use the default for the specific
version in use.
-- The default for Lotus Domino 7.0.3 is "Don't Enforce"
-- The default for Lotus Domino 8.0 (or higher) is "Enforce"
Refer to the Upgrade Central site for details on upgrading Notes/Domino.
Michael Gollmick of TIMETOACT Software & Consulting GmbH and Daniel Nashed
Nash!Com contacted IBM® Lotus® to report a potential LotusScript security
vulnerability with Lotus Domino®. This issue has been fixed in Lotus Domino
releases 7.0.3 and 8.0 with the use of a new notes.ini parameter.
None, although you can specify this setting in the NOTES.INI Settings tab of
the Configuration Settings document in the Domino Directory.
Enforce_EffectiveUserRights_EvaluteCommand=0 / 1
Lotus Notes/Domino 6.5.6
Lotus Notes/Domino x.x.x