Multiple vulnerabilities have been identified in IBM Lotus Domino, which could be exploited by attackers to disclose sensitive information, bypass security restrictions, cause a denial of service, or take complete control of an affected system.
The first issue is caused by insecure permissions being set on the shared memory created by the application, which could allow malicious users to disclose sensitive information.
The second vulnerability is caused by an error in the Certificate Authority (CA) process commands when using uppercase characters with either the CA "activate" or "unlock" commands, which could result in the password being displayed in clear text.
The third issue is caused by a buffer overflow error in the IMAP service when processing malformed data, which could be exploited by authenticated attackers to execute arbitrary code.
The fourth vulnerability is caused by an error when using the Evaluate LotusScript method in conjunction with specific @ formula commands to design views and agents, which could cause the view or agent to return information of which the user normally would not be able to access.
Credits
Vulnerabilities reported by Ollie Whitehouse (Symantec), Michael Gollmick (TIMETOACT Software and Consulting), Daniel Nashed (Nash!Com) and VeriSign iDefense Labs.
ChangeLog
2007-10-24 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
