[19357] in bugtraq
Re: Lotus Notes Stored Form Vulnerability
daemon@ATHENA.MIT.EDU (Katherine Spanbauer)
Mon Feb 26 14:56:15 2001
MIME-Version: 1.0
Content-type: multipart/mixed;
Boundary="0__=852569FC007AEB488f9e8a93df938690918c852569FC007AEB48"
Content-Disposition: inline
Message-ID: <OF53C6D2D3.880A35A4-ON852569FC.007AEB48@lotus.com>
Date: Fri, 23 Feb 2001 17:26:38 -0500
Reply-To: Katherine_Spanbauer@LOTUS.COM
From: Katherine Spanbauer <Katherine_Spanbauer@LOTUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
--0__=852569FC007AEB488f9e8a93df938690918c852569FC007AEB48
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
Technote # 184674 Q&A: BugTraq "Lotus Notes Stored Form Vulnerability"=
http://support.lotus.com/sims2.nsf/eb5fbc0ab175cf0885256560005206cf/89e=
023ae7ee59e5d852569f90059fd5e?OpenDocument
* Title: Q&A: BugTraq "Lotus Notes Stored Form
Vulnerability"
* Product Area: Notes
* Product Release: Notes Client 5.x, Notes Client 4.6x=
* Topic: Workstation/Desktop \\ Notes Client Functiona=
lity
\\ Security \\ ECL
Document #: 184674
Last Update: 02/23/2001
=
=20
=
=20
=
=20
=
=20
BODY:
What methods are available to protect against potential attacks using a=
Stored Form in a mail message?
1. Disable the Stored Form setting for all mail files.
OR
2. Use Execution Control Lists (ECLs) to define trusted signers=
of
executable content and assign appropriate levels of access.
When were these features introduced?
The Database Property for "Allow use of stored forms in this databas=
e"
was introduced in Notes R4.1. The Execution Control List (ECL) feat=
ure
was introduced in Notes R4.5.
What is a "Stored Form" and how is it used?
When designing a form, a form property can be enabled that will stor=
e
the form design with the document. The most common usage of this
feature is when a document will be mailed and the form does not exis=
t in
the users mail files. By storing the form with the document, additi=
onal
functionality can be added. For more information on Forms and
Documents, please see the Help document included below.
How can the use of a Stored Form be detected for a particular mail mess=
age?
The existence of a $Title field on the document indicates that the f=
orm
is stored with the document. The $Title field will contain the name=
of
the form.
How can Stored Forms be disabled?
This setting is configured in Database Properties. To disable it,
uncheck the box on the Basics tab for "Allow use of stored forms in =
this
database".
Who has access to change this setting for a database?
Manager access in the ACL is required to change database properties.=
How can administrators disable this setting for all user's mail files?
Disable the setting on the mail template(s) used in your environment=
and
run the Design task (load design from the server console, or as a
scheduled task).
When new mail files are created from the template, this setting will=
be
disabled. In addition, when the design task runs (by default, this
occurs nightly at 2 am), all databases that inherit from the updated=
templates will now have this setting disabled. This technique assum=
es
that mail files inherit their design from a specified template(s), w=
hich
is the default behavior.
If Stored Forms are not enabled for a database, what will happen when t=
he
user opens a mail message containing a stored form?
The user will be prompted with a dialog box with the following messa=
ge;
"This document cannot be displayed in its original format because it=
contains a stored form. This database does not allow use of stored
forms. Notes will attempt to open the document using a different
format."
The default form for the database will be used to display the docume=
nt
instead. Any code associated with the form will not be executed, an=
d
some field values may not be able to be read using the default form
(i.e. the "Memo" form in mail databases).
Where is the Execution Control List (ECL) stored and configured?
The ECL is stored for each user in their desktop.dsk/desktop5.dsk fi=
le.
Users can access their ECL from File\Preferences\User
Preferences\Security Options. Administrators can configure domain w=
ide
settings in the Public Address Book/Domino Directory by selecting
Actions\Edit Administration ECL. Workstation ECLs are inherited fro=
m
the Administration ECL during workstation setup. In R5.0.5 or highe=
r,
these settings can be refreshed from the Administration ECL by click=
ing
the "Refresh" button on the Workstation Security Options dialog. T=
he
use of the @RefreshECL command can also be used in formulas to updat=
e a
user's settings.
How do ECLs protect workstations?
ECLs rely on the use of digital signatures. When a design element i=
s
created and saved, it is signed with the user's private key from the=
ir
ID file.
When executable code is activated, Notes checks the signature and
verifies what level of access the signer is allowed for that user's
workstation. Notes relies on the use of certificates to verify thes=
e
digital signatures. If a signer can be verified and is listed in th=
e
ECL, the rights assigned for that entry apply. If the signature is
verified, but an entry for the signer does not exist, the rights
assigned to the "Default" entry apply. If a signature cannot be
verified, the access rights assigned to the entry for "No Signature"=
apply.
What is the "Lotus Notes Template Development/Lotus Notes" entry in the=
ECL?
All Lotus Notes templates shipped with the product are signed with t=
his
ID file. This entry is listed in the ECL with all access rights ena=
bled
which means that code signed with this ID is trusted to execute on t=
he
workstation.
Is it possible for someone to create an ID with the name "Lotus Notes
Template Development/Lotus Notes" and evade the ECL?
No. While it is possible for an ID to be created with the same name=
,
the public/private key pair will not match the original. When code
signed with the false ID is executed, Notes will be unable to verify=
the
signer and therefore the rights assigned to the entry for "No Signat=
ure"
will apply. If "No Signature" is not permitted to execute that
particular action, Notes will generate an Execution Security Alert
dialog box with the warning that "The version of Notes you are runni=
ng
does not recognize the Template Development key that signed this
document".
What are the Lotus recommended ECL settings for the "Default" and "No
Signature" entries?
Both "Default" and "No Signature" should have all access rights
disabled. Beginning with R5.0.2 (available in Dec 1999), this is th=
e
default configuration.
Related Documents:
How ECLs Respond to Changes in the Notes/Domino Environment
Document #: 183254
Recommendations for Deploying Tighter ECLs in Notes R5
Document #: 183256
Default ECL Entries Beginning with Notes 5.0.3
Document #: 183257
"Staying Alert with Execution Control Lists"
by Amy Smith, published on Iris Today on Dec 1, 1999 at
http://www.notes.net/today.nsf/9148b29c86ffdcd385256658007aaa0f/3a9d=
a544637a69b2852568310078b649?OpenDocument
From R5 Designer Help:
Forms and Documents
When a user creates and fills out the information in a form and saves i=
t,
the information is saved as a document. When a user opens the document,=
the
document uses the form as a template to provide the structure for
displaying the data. When designing forms, you should consider where an=
d
how the resulting documents will be displayed.
A form is stored in the database it was created in and used to display =
all
associated documents. However, there may be times when you are mailing =
a
document to a database that does not have the form that was used to cre=
ate
the document. In those cases you can designate the form to be stored wi=
th
each document created from it. Storing the form with each document does=
consume more memory.
When a user opens a document, Domino uses these rules to determine whic=
h
form to use to display it:
=
=20
=
=20
Condition Form used to display document =
=20
=
=20
=
=20
=
=20
If the form used to create The form that was used to create the =
=20
the document is available and document. The original form name is =
=20
there is no form stored in stored in a hidden field called "Form=
" =20
the document and no form in the document. To find the value of=
=20
formula the field you can check the Document =
=20
Properties box under the Fields tab. =
=20
=
=20
=
=20
=
=20
If a form is stored with the The form stored with the document. =
=20
document (When a form is stored in a document,=
=20
the form name is stored in an interna=
l =20
field called $Title.) =
=20
=
=20
=
=20
=
=20
If the view has a form The form is determined by the view's =
=20
formula form formula. =
=20
=
=20
=
=20
=
=20
If the form used to create The default form for the database. Ea=
ch =20
the document is not available database can have only one default =
=20
in the database form, which is marked with an arrow i=
n =20
the Forms list. =
=20
=
=20
=
=20
Storing a form with each document
Storing the form with each document allows the document to display
correctly even in a database where the form is missing, renamed, or
deleted. This feature uses more system memory and may require as much a=
s 20
times more disk space. It can also cause additional work if you change =
the
form design because there is no easy way to update all of the stored co=
pies
of the form. In general, store a form in a document only under these
conditions:
The database to which documents are mailed or pasted does not conta=
in a
copy of the original form.
The database to which documents are mailed or pasted doesn't share =
an
alias with the original form.
The form contains an embedded OLE object or a subscription, and you=
want documents to reflect any changes to the object.
You selected "Include in Search Builder" in the Form Properties box=
and
want the form's static text to be searchable.
The documents created with this form are stored as encapsulated
databases and mailed to cc:Mail users.
To store a form with each document
1. Open the form.
2. Choose Design - Form Properties.
3. Click the Form Info tab (Embedded image moved to file: pic15651.pc=
x).
4. Select "Store form in document."
5. Switch to Database Properties in the drop-down list on the Propert=
ies
box and select "Allow use of stored forms in this database."
Overriding the stored form
When a form is stored in a document, the form name is stored in a hidde=
n
field called $Title. Additional information is stored in the $Info,
$WindowTitle, and $Body fields. To use a different form to display the
document, create an agent that deletes this stored form information and=
designates another form to display the document.
Shared fields and documents with stored forms
If the form contains a shared field, that field is converted to a
single=ADuse field in the copy of the form that is actually stored in t=
he
document. This ensures that if a copy of the document is stored in a
database that does not contain the shared field definition, the field c=
an
still be used. In the original form, the field is still defined as shar=
ed.
Form formulas
To override the default form selection, write a form formula for a
particular view. For example, you can write a form formula that uses on=
e
form to display all fields when a user edits a document and a different=
form that resequences or omits fields when a user reads a document. Sin=
ce
form formulas apply only to a specific view, documents created in other=
views do not use the form formula.
Designating a default form for a database
1. Open the Form Properties box.
2. Click the Form Info tab (Embedded image moved to file: pic22312.pc=
x).
3. Select "Default database form."
Alternatives to storing forms
As an alternative to storing the form in a document, you can use the
LotusScript Send method to design a form you can mail along with a
document. This ensures that the database will have the correct form to
display the document but won't need to store the form with each documen=
t.
For more information on using LotusScript to mail forms with documents,=
see
the Programming Guide.
=
--0__=852569FC007AEB488f9e8a93df938690918c852569FC007AEB48
Content-type: application/octet-stream;
name="pic15651.pcx"
Content-Disposition: attachment; filename="pic15651.pcx"
Content-transfer-encoding: base64
CgUBCAAAAAApABIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABKgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAADWAMsAxQDDAAAAB9UIygjFCMMIAAAH1QjKCMUIwwgAAAfKCMwAyAgHxQjD
CAAAB8oIAMoPAMcIBwgHxQjCCAAAB8oIAMoPAMgIB8UIwwgAAAfKCADCD8IHD8MHwg8AygjFCMII
AAAHyggAwg8HCA/DCMIPAMYIwgcIB8UIwggAAAfKCADKDwDICAfFCMMIAAAHyggAwg/CBw/DB8IP
AMcIBwgHxQjCCAAAB8oIAMIPBwgPwwjCDwDICAfFCMMIAAAHyggAyg8AxwgHCAfFCMIIAAAHyggA
wg/CBw/DB8IPAMYIAAgHCADECMIIAAAHyggAwg8HCA/DCMIPAMoIxQjCCAAAB8oIAMoPAMoIxQjC
CAAAB8oIAMoIAMoIxQjCCAAAB8oIzADKCMUIwggAAAfVCMoIxQjDCADWAMsAxQDDAAAMAAAAgAAA
AIAAgIAAAACAgACAAICAgICAwMDA/wAAAP8A//8AAAD//wD/AP//////AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
--0__=852569FC007AEB488f9e8a93df938690918c852569FC007AEB48
Content-type: application/octet-stream;
name="pic22312.pcx"
Content-Disposition: attachment; filename="pic22312.pcx"
Content-transfer-encoding: base64
CgUBCAAAAAApABIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABKgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAADWAMsAxQDDAAAAB9UIygjFCMMIAAAH1QjKCMUIwwgAAAfKCMwAyAgHxQjD
CAAAB8oIAMoPAMcIBwgHxQjCCAAAB8oIAMoPAMgIB8UIwwgAAAfKCADCD8IHD8MHwg8AygjFCMII
AAAHyggAwg8HCA/DCMIPAMYIwgcIB8UIwggAAAfKCADKDwDICAfFCMMIAAAHyggAwg/CBw/DB8IP
AMcIBwgHxQjCCAAAB8oIAMIPBwgPwwjCDwDICAfFCMMIAAAHyggAyg8AxwgHCAfFCMIIAAAHyggA
wg/CBw/DB8IPAMYIAAgHCADECMIIAAAHyggAwg8HCA/DCMIPAMoIxQjCCAAAB8oIAMoPAMoIxQjC
CAAAB8oIAMoIAMoIxQjCCAAAB8oIzADKCMUIwggAAAfVCMoIxQjDCADWAMsAxQDDAAAMAAAAgAAA
AIAAgIAAAACAgACAAICAgICAwMDA/wAAAP8A//8AAAD//wD/AP//////AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
--0__=852569FC007AEB488f9e8a93df938690918c852569FC007AEB48--
