Re: Lotus Domino: security hole the size of Texas, plus somewhat smaller protocol auditing utility

[Andreas Siegert <afx () ATSEC COM>]

Quoting Michal Zalewski (lcamtuf () DIONE IDS PL) on Mon, Jan 08, 2001 at 08:50:32PM +0100:
> ANY AUTHORIZED USER OF LOTUS DOMINO MAIL SYSTEM CAN GAIN UNAUTIORIZED
> ACCESS TO *ANY* MAILBOX IN THE SYSTEM BY MODIFYING THE TRAFFIC BETWEEN HIS
> CLIENT AND DOMINO SERVER OR BY MODIFYING CLIENT SOFTWARE ITSELF.
>
> (with great sorrow, have to turn my caps lock off)... Not to mention
> accessing / modifying other files than mail\*.nsf entries. I haven't
> checked for that - should be more problematic, but probably can be done.
>
> Again - as I said - your comments are welcome. First of all, it would be
> nice to confirm this problem, and to see if ACLs might help. And *NO* -
> encrypting TCP/IP connection won't change anything, as stated above.

Hmmm, fortunatley Notes allows you to encrypt the whole mailbox so that it
resides encrypted on the server and the client. This is a different option
from encrypting the traffic.

cheers
afx

--
atsec information security GmbH                Phone: +49-89-44249830
Steinstrasse 68                                  Fax: +49-89-44249831
D-81667 Muenchen, Germany                        WWW: www.atsec.com
                      May the Source be with you!