mailing list archives
Re: Lotus Domino: security hole the size of Texas, plus somewhat smaller protocol auditing utility
From: Andreas Siegert <afx () ATSEC COM>
Date: Wed, 10 Jan 2001 20:30:52 +0100
Quoting Michal Zalewski (lcamtuf () DIONE IDS PL) on Mon, Jan 08, 2001 at 08:50:32PM +0100:
ANY AUTHORIZED USER OF LOTUS DOMINO MAIL SYSTEM CAN GAIN UNAUTIORIZED
ACCESS TO *ANY* MAILBOX IN THE SYSTEM BY MODIFYING THE TRAFFIC BETWEEN HIS
CLIENT AND DOMINO SERVER OR BY MODIFYING CLIENT SOFTWARE ITSELF.
(with great sorrow, have to turn my caps lock off)... Not to mention
accessing / modifying other files than mail\*.nsf entries. I haven't
checked for that - should be more problematic, but probably can be done.
Again - as I said - your comments are welcome. First of all, it would be
nice to confirm this problem, and to see if ACLs might help. And *NO* -
encrypting TCP/IP connection won't change anything, as stated above.
Hmmm, fortunatley Notes allows you to encrypt the whole mailbox so that it
resides encrypted on the server and the client. This is a different option
from encrypting the traffic.
atsec information security GmbH Phone: +49-89-44249830
Steinstrasse 68 Fax: +49-89-44249831
D-81667 Muenchen, Germany WWW: www.atsec.com
May the Source be with you!