IBM Plugs Two Holes in Lotus Domino Security

March 29, 2007

The company patches flaws that could have allowed hackers to execute code remotely in Lotus Domino Web Access, Lotus Domino Server 7.0.1

IBM has patched two vulnerabilities uncovered last year in its Lotus Domino product line.

Both vulnerabilities were fixed in Lotus Domino 6.5.6 and 7.0.2 Fix Pack 1. Last August, Sterling, Va.-based iDefense Labs reported a cross-site scripting vulnerability affecting IBM Lotus Domino Web Access, a Web-based messaging and collaboration interface for the Lotus Domino server.

"The vulnerability specifically exists due to improper HTML filtering of e-mail message contents. Although Web Access attempts to filter out HTML and script code, certain code sequences will bypass the filters and successfully execute JavaScript," according to iDefense.

IBM officials stated in an advisory that the Active Content Filter feature needed to be updated to thwart the attack.

The second flaw is a heap overflow vulnerability affecting IBM Lotus Domino Server software, which provides messaging and scheduling capabilities on a number of operating systems. If a hacker were to exploit the vulnerability in the directory service (LDAP) component of IBM's Lotus Domino Server 7.0.1 remotely, the hacker could cause a denial of service or execute arbitrary code. It was reported to IBM by iDefense in October.

"When a malformed request is made to the LDAP component of a Lotus Domino Enterprise Server, a heap overflow can be triggered," according to a security alert posted by iDefense. "The vulnerability specifically exists in the handling of strings larger than 65,535 bytes. When a string longer than this value is encountered, the service allocates memory using only the lower 16 bits of the string length. Since the entire string is subsequently copied into the newly allocated buffer, a heap-overflow occurs."

Although the service does not run as root, it does run as the same user as many other components of the Lotus Domino Server and therefore an attacker may gain access to sensitive information or subvert the server. In order to attempt exploitation, however, attackers must be able to connect to the LDAP service, according to the iDefense advisory.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International


print this article email this article download pdf blog this article bookmark this article     Stumble it Digg this share on Facebook retweet share on Reddit add to delicious
Rate this story - not rated yet


March 29, 2007 all stories

Comments: 0

not rated yet
  • Stumble this up

  • Digg this

  • share this

  • hide

  • Related Stories

  • IBM Delivers New 'Social' Lotus Notes and Free Symphony Software for Macs
    created Jan 07, 2009 | popularity not rated yet | comments 0
  • IBM Announces New Products and Initiatives to Enable Next-Generation Linux
    created Aug 05, 2008 | popularity not rated yet | comments 0
  • IBM Ships Lotus Notes and Domino 8
    created Aug 17, 2007 | popularity not rated yet | comments 0
  • NTT DoCoMo to Start Marketing Japanese Support for BlackBerry
    created Jul 17, 2007 | popularity not rated yet | comments 0
  • IBM, 3Com Collaborate on VOIP
    created Mar 26, 2007 | popularity not rated yet | comments 0



  • hide

  • Relevant PhysicsForums posts

  • Laser plasma emission
    created 23 hours ago
  • Achromat lens - magnifying LCD
    created Nov 25, 2009
  • Control System
    created Nov 24, 2009
  • Base Isolation Systems in Skyscrapers?
    created Nov 23, 2009
  • More from Physics Forums - General Engineering

Other News

Teachers begin using cell phones for class lessons

Technology / Hi Tech

created 51 minutes ago | popularity 3 / 5 (1) | comments 0

(AP) -- Ariana Leonard's high school students shuffled in their seats, eagerly awaiting a cue from their Spanish teacher that the assignment would begin. "Take out your cell phones," she said in Spanish.


Government delays new ban on Internet gambling

Technology / Internet

created 4 hours ago | popularity 1 / 5 (1) | comments 0

(AP) -- The Treasury Department and the Federal Reserve are giving U.S. financial institutions an additional six months to comply with regulations designed to ban Internet gambling.


Fujitsu Develops Technology for Low-Temperature Full-Service Direct Formation of Graphene Transistors on Large-Scale Substrates

Fujitsu Develops Technology for Low-Temperature Full-Service Direct Formation of Graphene Transistors on Large-Scale Sub

Technology / Semiconductors

created 4 hours ago | popularity 5 / 5 (3) | comments 0

Fujitsu Laboratories today announced, as a world first, the development of a novel technology for forming graphene transistors directly on the entire surface of large-scale insulating substrates at low temperatures ...


Signal fading on radio traffic reports

Technology / Other

created 2 hours ago | popularity not rated yet | comments 1

(AP) -- For more than 20 years, Mike Nolan was known to radio listeners as the "eye in the sky." He flew over Southern California freeways in his single-engine plane, reporting on the nation's worst traffic.


'Avatar' video game to expand film's alien world (AP)

'Avatar' video game to expand film's alien world

Technology / Software

created 4 hours ago | popularity 4 / 5 (1) | comments 0

(AP) -- James Cameron was thinking beyond the big screen when he created the alien world of Pandora. The "Titanic" director worked in tandem with video game developer Ubisoft Montreal on the game based on ...




PhysOrg Account
advanced search
  • follow with twitter
  • follow on facebook
  • read with kindle
  • customize RSS
  • physorg mobile
  • newsletter