Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Lotus Domino: security hole the size of Texas, plus somewhat smaller protocol auditing utility
From: Andreas Siegert <afx () ATSEC COM>
Date: Wed, 10 Jan 2001 20:30:52 +0100

Quoting Michal Zalewski (lcamtuf () DIONE IDS PL) on Mon, Jan 08, 2001 at 08:50:32PM +0100:

ANY AUTHORIZED USER OF LOTUS DOMINO MAIL SYSTEM CAN GAIN UNAUTIORIZED
ACCESS TO *ANY* MAILBOX IN THE SYSTEM BY MODIFYING THE TRAFFIC BETWEEN HIS
CLIENT AND DOMINO SERVER OR BY MODIFYING CLIENT SOFTWARE ITSELF.

(with great sorrow, have to turn my caps lock off)... Not to mention
accessing / modifying other files than mail\*.nsf entries. I haven't
checked for that - should be more problematic, but probably can be done.

Again - as I said - your comments are welcome. First of all, it would be
nice to confirm this problem, and to see if ACLs might help. And *NO* -
encrypting TCP/IP connection won't change anything, as stated above.

Hmmm, fortunatley Notes allows you to encrypt the whole mailbox so that it
resides encrypted on the server and the client. This is a different option
from encrypting the traffic.

cheers
afx

--
atsec information security GmbH                Phone: +49-89-44249830
Steinstrasse 68                                  Fax: +49-89-44249831
D-81667 Muenchen, Germany                        WWW: www.atsec.com
                      May the Source be with you!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault