====================================================================== Secunia Research 10/02/2006 - Lotus Notes Multiple Archive Handling Directory Traversal - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software * Lotus Notes 6.5.4 * Lotus Notes 7.0 Other versions may also be affected. ====================================================================== 2) Severity Rating: Moderately Critical Impact: Security Bypass Where: Remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Lotus Notes, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to directory traversal errors in kvarcve.dll when generating the preview of a compressed file from ZIP, UUE and TAR archives. This can be exploited to delete arbitrary files that are accessible to the Notes user. Successful exploitation requires that the user is e.g. tricked into previewing a compressed file with directory traversal sequences in its filename from within the Notes attachment viewer. ====================================================================== 4) Solution Update to version 6.5.5 or 7.0.1. ====================================================================== 5) Time Table 04/08/2005 - Initial vendor notification. 04/08/2005 - Initial vendor response. 10/02/2006 - Public disclosure. ====================================================================== 6) Credits Discovered by Tan Chew Keong and Carsten Eiram, Secunia Research. ====================================================================== 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-2619 for the vulnerability. ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-30/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================