[22954] in bugtraq
Re: Security BugWare Advisory
daemon@ATHENA.MIT.EDU (Vinci Chou)
Tue Oct 23 10:59:33 2001
Message-ID: <3BD4DCE5.2080202@bigfoot.com>
Date: Tue, 23 Oct 2001 10:58:45 +0800
From: Vinci Chou <CaptainBig@bigfoot.com>
MIME-Version: 1.0
To: Bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
irib@bunker.freexion.net wrote:
> Whacking A Machine With Lotus Notes Mail
>
> PROBLEM
>
> SecurityBugware team found following, as posted on
www.securitybugware.org :
>
> With a little LotusScript in your mail, you can execute all what
you want on
> the recipient's computer - even out of Notes.
< snipped >
This is nothing new and was one of the topic in blackhat.
> SOLUTION
>
> The only solution is to desactivate the preview, and to
delete the memo
> before reading it.
No. This is NOT the only solution. The proper solution is ECL -
Execution Control List. ECL is a security control mechanism that is
available in both R4.6x and R5.x. Lotus already published an article on
their website in April 2001 to remind users of the security
implications. Go to
http://www.lotus.com/home.nsf/welcome/securityzone
and select
"Lotus Notes Stored Form Vulnerability"
(Stored Form is another way of putting executable codes in a Lotus e-mail).
Vinci
