Bugtraq mailing list archives

Re: Lotus Notes Stored Form Vulnerability

From: mark myers <markmyers () TALK21 COM>
Date: Wed, 21 Feb 2001 21:06:07 -0000

Ok Here How it goes

R4
Stored forms enabled, ECL implemented but left wide 
open, Stored forms can not be received via external 
mail.

If I was a hacker, trying to use a stored form on R4 I 
would have to create the form on my own computer, 
then take the edited template/database, get it into the 
company I want to use, get hold of a valid ID and 
password, and then send it, the problems are 
(ignoring the coding ones) getting a ID file and 
password for the companies notes getting into their 
LAN (not just past their firewall but actually on their 
LAN)
-some how If I was a hacker and could get onto a 
LAN with a valid ID an Password, sending a mail 
would not be high on my list of things to do, PS the 
previous mails are correct this has been around for 
years.

R5
Stored forms enabled, ECL implemented but by 
default as tight a sharks arse at 25,000 fathoms, 
Stored forms can be received via external mail, if the 
recipient is trusted.

were are on similar ground with R5, but with the 
added bits of ECL (which is based on a text match 
not on public/private key checking), and the ability to 
send notes mails over the NET, same problems as 
before if you want to do it over the LAN, with the 
added bit that, you would have to build a server fist to 
create the correct domain, with which to stamp the 
Database, but we could attack over the NET can't 
we, well yes if the domain we attack trusts us, or is 
we are certain that the company is using Notes for its 
SMTP gateway with nothing imbetween it and the 
NET, like a VAX or anything like that and if the 
administrators are daft and have left the SMPT 
gateway wide open


I have been writeing GroupWare with 
notes/domino/exchange and the web for 6 years now.
This issues was old years ago, and as far as security 
loop holes go I'm not going to lose masses of sleep 
over it, if you set up you system with a normal degree 
of sense, I don't seen it ever causing a problem,

If anyone disagrees my mail is 
markmyers () talk21 com

Thanks

Current thread:

Lotus Notes Stored Form Vulnerability Chris Jones (Feb 10)
- Re: Lotus Notes Stored Form Vulnerability Derek Reynolds (Feb 10)
- <Possible follow-ups>
- Re: Lotus Notes Stored Form Vulnerability Felix Grushevsky (Feb 10)
- Re: Lotus Notes Stored Form Vulnerability Mikkel Heisterberg (Feb 12)
- Re: Lotus Notes Stored Form Vulnerability Security Advisory (Feb 12)
- Re: Lotus Notes Stored Form Vulnerability Security Advisory (Feb 15)
- Re: Lotus Notes Stored Form Vulnerability Chris Jones (Feb 19)
- Re: Lotus Notes Stored Form Vulnerability mark myers (Feb 21)
- Re: Lotus Notes Stored Form Vulnerability Katherine Spanbauer (Feb 26)
- Re: Lotus Notes Stored Form Vulnerability Tibor SZABO (Feb 27)