what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Secunia-LotusNotes.txt

Secunia-LotusNotes.txt
Posted Oct 21, 2006
Site secunia.com

Secunia Research 18/10/2006: IBM Lotus Notes Insecure Default Folder Permissions - Secunia Research has discovered a security issue in Lotus Notes, which can be exploited by malicious, local users to manipulate arbitrary files.

tags | advisory, arbitrary, local
SHA-256 | 329a738d598319ed98c9d729752ed575b69c649c13730dad35244762b9e39337

Secunia-LotusNotes.txt

Change Mirror Download
====================================================================== 

Secunia Research 18/10/2006

- IBM Lotus Notes Insecure Default Folder Permissions -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

IBM Lotus Notes 6.5.4 and 6.5.5.
IBM Lotus Notes 7.0.0 and 7.0.1.

======================================================================
2) Severity

Rating: Less critical
Impact: Privilege Escalation, Manipulation of Data
Where: Local System

======================================================================
3) Vendor's Description of Software

"IBM Lotus Notes continues to set the standard for innovation in the
messaging and collaboration market Lotus defined over a decade ago.
As an integrated collaborative environment, the Lotus Notes client
and the IBM Lotus Domino server combine enterprise-class messaging
and calendaring & scheduling capabilities with a robust platform for
collaborative applications".

Product Link:
http://www.lotus.com/products/product4.nsf/wdocs/noteshomepage

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a security issue in Lotus Notes,
which can be exploited by malicious, local users to manipulate
arbitrary files.

The problem is that Lotus Notes sets insecure default permissions
(grants "Everyone" group "Full Control") on the "notes" directory and
all child objects. This can be exploited to remove, manipulate, and
replace any of the application's files.

======================================================================
5) Solution

Update to version 7.0.2.

======================================================================
6) Time Table

22/07/2005 - Vendor notified.
22/07/2005 - Vendor response.
18/10/2006 - Public disclosure.

======================================================================
7) Credits

Discovered by Carsten Eiram, Secunia Research.

======================================================================
8) References

IBM:
http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773

The Common Vulnerabilities and Exposures (CVE) project has assigned
candidate number CVE-2005-2454 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below to
see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-29/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================



Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close