US Report: Notes open to Net attack

L0pht Heavy Industries, a loosely-organised, Boston-based group of computer users known for turning up serious software flaws, issued an advisory last night describing a flaw that allows "anyone on the Internet" to access and alter databases on a Lotus Domino server, once information from the server is viewed with a Notes 4.6 client.

L0pht said the vulnerability affects users who primarily use Lotus Notes for development purposes or as an Intranet. Any servers distributed with the Notes client that are not running the HTTP task by default are also vulnerable, according to the report.

Earlier versions of Notes may also be vulnerable, but had not yet been tested by L0pht. Lotus spokesman Paul Davis said the company is currently testing the accuracy of the L0pht report and assessing its implications. "Our top priority right now is to understand it," Davis said.

The server becomes vulnerable when a user opens a database in Notes and uses the action "Preview in Web Browser," according to L0pht. The action connects the browser to the Domino server using standard Internet protocols. But once the connection is established, any user on the Internet can also connect to the server with a Web browser and modify documents using Domino URL commands, according to L0pht. The Internet location for accessing the Domino server could also be found in the user's browser history.

Documents available to access would include confidential company documents and in-development databases. The vulnerability lasts only as long as the Notes client is open, L0pht said.

The group said that the problem can be fixed by editing a server's access control lists, which determine who is allowed to view and alter databases. Filters should also be put into place to disallow access to the HTTP port of Notes client-only machines, the group said.

L0pht has recently uncovered other flaws in Windows NT and Solaris and Domino servers.