Bugtraq mailing list archives
Re: Lotus Notes Stored Form Vulnerability
From: mark myers <markmyers () TALK21 COM>
Date: Wed, 21 Feb 2001 21:06:07 -0000
Ok Here How it goes R4 Stored forms enabled, ECL implemented but left wide open, Stored forms can not be received via external mail. If I was a hacker, trying to use a stored form on R4 I would have to create the form on my own computer, then take the edited template/database, get it into the company I want to use, get hold of a valid ID and password, and then send it, the problems are (ignoring the coding ones) getting a ID file and password for the companies notes getting into their LAN (not just past their firewall but actually on their LAN) -some how If I was a hacker and could get onto a LAN with a valid ID an Password, sending a mail would not be high on my list of things to do, PS the previous mails are correct this has been around for years. R5 Stored forms enabled, ECL implemented but by default as tight a sharks arse at 25,000 fathoms, Stored forms can be received via external mail, if the recipient is trusted. were are on similar ground with R5, but with the added bits of ECL (which is based on a text match not on public/private key checking), and the ability to send notes mails over the NET, same problems as before if you want to do it over the LAN, with the added bit that, you would have to build a server fist to create the correct domain, with which to stamp the Database, but we could attack over the NET can't we, well yes if the domain we attack trusts us, or is we are certain that the company is using Notes for its SMTP gateway with nothing imbetween it and the NET, like a VAX or anything like that and if the administrators are daft and have left the SMPT gateway wide open I have been writeing GroupWare with notes/domino/exchange and the web for 6 years now. This issues was old years ago, and as far as security loop holes go I'm not going to lose masses of sleep over it, if you set up you system with a normal degree of sense, I don't seen it ever causing a problem, If anyone disagrees my mail is markmyers () talk21 com Thanks
Current thread:
- Lotus Notes Stored Form Vulnerability Chris Jones (Feb 10)
- Re: Lotus Notes Stored Form Vulnerability Derek Reynolds (Feb 10)
- <Possible follow-ups>
- Re: Lotus Notes Stored Form Vulnerability Felix Grushevsky (Feb 10)
- Re: Lotus Notes Stored Form Vulnerability Mikkel Heisterberg (Feb 12)
- Re: Lotus Notes Stored Form Vulnerability Security Advisory (Feb 12)
- Re: Lotus Notes Stored Form Vulnerability Security Advisory (Feb 15)
- Re: Lotus Notes Stored Form Vulnerability Chris Jones (Feb 19)
- Re: Lotus Notes Stored Form Vulnerability mark myers (Feb 21)
- Re: Lotus Notes Stored Form Vulnerability Katherine Spanbauer (Feb 26)
- Re: Lotus Notes Stored Form Vulnerability Tibor SZABO (Feb 27)