COMMAND

    Lotus Notes

SYSTEMS AFFECTED

    Systems running Lotus Notes 4.6+ Client

PROBLEM

    Following info is based on  L0pht Advisory.  Versions 4.6+  of the
    Lotus Notes Client appear to be vulnerable; lower version may also
    be vulnerable but  at this time  are untested.   The vulnerability
    affects companys  that use  Lotus Notes  primarily for development
    purposes or as an Intranet. Also any servers that were distributed
    with the Lotus Notes Client that are not running the HTTPD task by
    default are vulnerable.   Note: This assumes  Domino servers  have
    been patched due to previous advisory (see mUNIXes area).

    Additionally,  previous  vulnerabilities  (web  users can write to
    remote server drives and  change server configuration files),  now
    come into play  once more with  the addition of  the vulnerability
    in the Notes Client. No  new vulnerability exists in Lotus  Domino
    that run the HTTP task by default.

    Remote  intruders   can  potentially   retreive:  in   development
    databases, confidential company records, etc etc. All of the above
    can be achieved  by connecting to  a vulnerable Notes  Client.  To
    test (from within Lotus Notes 4.6+ Client):

        1. Open any given database
        2. Click Actions -> Preview in Web Browser

    This  should  have  launched  your  designated  web  browser   and
    connected  to  http://199.99.99.99/database  or something similar.
    Even  though  you  only  have  the  Notes  Client installed on the
    machine and  not the  server, the  HTTPD task  is now  running and
    accepting  connections  on  port  80.  Thus anyone on the Internet
    could  then   do  http://199.99.99.99/domcfg.nsf/?open   or   even
    http://199.99.99.99   (to   get   a   listing   of  the  available
    databases).   Subsequently  you  could  open  the  log and see the
    database(s) the given user was recently accessing or modifying.

    From this  point you  can search  around and  basically manipulate
    documents that do  a wide variety  of things. Domino  URL commands
    (which can be used to  edit, delete, and manipulate files  via the
    web) can be found in all documentation as well as at:

        http://www.notes.net/today.nsf/cbb328e5c12843a9852563dc006721c7/ca5230f9baf39fe1852564b5005e8419

SOLUTION

    ACLs need to be edited manually by a competent admin to be ensured
    of security.  Take, for example, if domlog.nsf could be read, that
    alone is a  security breech.   Setup routing filters  to dissallow
    access to the http port of Notes Client only machines.