Penetration Testing mailing list archives
Hacking Domino (Penetration: from Application down to OS. Getting OS Access Using Lotus Domino Application Server Vulnerabilities )
From: Alexandr Polyakov <alexandr.polyakov () dsec ru>
Date: Thu, 29 Apr 2010 00:42:48 +0400
New Whitepaper from Digital Security Research Group (dsecrg.com) Penetration: from Application down to OS. Getting OS Access Using Lotus Domino Application Server Vulnerabilities This whitepaper continues a series of publications made by DSecRG researchers describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment. This time we will talk about Lotus Domino – a very popular application that provides enterprise-grade e-mail, collaboration capabilities. This system stores a huge amount of critical corporate data and represents a good target for a potential attacker. Also people must be aware of that this system is usually available from the Internet and can be hacked to get access to the operation system of the server in DMZ and then to the internal servers of corporate environment and in this paper we will show how to do this. This whitepaper has been made to inform people of the importance of business application security as these applications store critical business data and can represent targets for hacker attacks. According statistics of the latest security assessments, pen-tests and application security assessments performed by Digital Security, applications are the less secured chain in the complex IT system security area. Download from: http://dsecrg.com/pages/pub/show.php?id=24 About Author Alexander Polyakov is now working as a director of security audit department in the Digital Security company. He is also a head of Digital Security Research Group (dsecrg.com). He is one of the contributors of PCIDSS.RU Community. The expert in enterprise applications and database security, he has found a lot of vulnerabilities in products of such vendors as SAP, Oracle, IBM, Sun and many others. The author of multiple whitepapers about IT security and compliance and particularly about enterprise application security. The author of "Oracle Security from the Eye of the Auditor: Attack and Defence" book. Alexander Polyakov is owning a PCI QSA and PA QSA status. About company Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005, PCI DSS and PA-DSS standards. Digital Security Research Group focuses on enterprise application and ERP and SAP security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA,PA-QSA Head of security audit department Head of Digital Security Research Group ______________________ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polyakov () dsec ru www.dsec.ru www.dsecrg.com www.pcidss.ru ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ----------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Hacking Domino (Penetration: from Application down to OS. Getting OS Access Using Lotus Domino Application Server Vulnerabilities ) Alexandr Polyakov (Apr 29)