[18536] in bugtraq
Re: Lotus Domino: security hole the size of Texas,
daemon@ATHENA.MIT.EDU (Andreas Siegert)
Wed Jan 10 16:59:18 2001
Mail-Followup-To: Andreas Siegert <afx@atsec.com>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010110203051.A731@cray.atsec.com>
Date: Wed, 10 Jan 2001 20:30:52 +0100
Reply-To: Andreas Siegert <afx@ATSEC.COM>
From: Andreas Siegert <afx@ATSEC.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10101081523420.12819-100000@squirrel.tpi.pl>; from
lcamtuf@DIONE.IDS.PL on Mon, Jan 08, 2001 at 08:50:32PM +0100
Quoting Michal Zalewski (lcamtuf@DIONE.IDS.PL) on Mon, Jan 08, 2001 at 08:50:32PM +0100:
>
> ANY AUTHORIZED USER OF LOTUS DOMINO MAIL SYSTEM CAN GAIN UNAUTIORIZED
> ACCESS TO *ANY* MAILBOX IN THE SYSTEM BY MODIFYING THE TRAFFIC BETWEEN HIS
> CLIENT AND DOMINO SERVER OR BY MODIFYING CLIENT SOFTWARE ITSELF.
>
> (with great sorrow, have to turn my caps lock off)... Not to mention
> accessing / modifying other files than mail\*.nsf entries. I haven't
> checked for that - should be more problematic, but probably can be done.
>
> Again - as I said - your comments are welcome. First of all, it would be
> nice to confirm this problem, and to see if ACLs might help. And *NO* -
> encrypting TCP/IP connection won't change anything, as stated above.
Hmmm, fortunatley Notes allows you to encrypt the whole mailbox so that it
resides encrypted on the server and the client. This is a different option
from encrypting the traffic.
cheers
afx
--
atsec information security GmbH Phone: +49-89-44249830
Steinstrasse 68 Fax: +49-89-44249831
D-81667 Muenchen, Germany WWW: www.atsec.com
May the Source be with you!
