Re: Notes Domino Server Platform for e-commerce?

[martybishop () YAHOO COM (Martin Bishop)]

Just a note on Lotus' response:

Our penetration team has found two denial-of-service
vulnerabilities in Lotus Domino web service almost a
year ago. We have promptly issued technical reports
and send them to Lotus and IBM over all their channels
we could find even remotely resembling security. There
was no response for three weeks. Then I accidentally
noticed a person from Lotus posting a message on
BugTraq and contacted him. He then accepted our
reports, thanked us and assured us the issues will be
addressed ASAP. About three months later I tried to
contact him again to see what is going on and I failed
to receive a response until late last year (after at
least 4 requests) when he apologoized for some
personnel problems which have allegedly hindered the
resolving of the issues we have reported.
Well, at this moment, the latest Domino version with
the latest patches is still vulnerable to both
attacks.
BTW, the first attack effectively crashes HTTPD
process and the other makes all databases unreachable
through web.
I fear that Lotus too may be among those that won't
budge unless a vulnerability is published and widely
exploited by script-kiddies. And as much as I wouldn't
mind seing some asses kicked after nearly a year of
denial, we can't publish the vulnerabilities because
we can't put our clients at risk.

OTOH, this could be an isolated incident. I would
really like someone from Lotus to confirm this and get
those issues solved.

Regards,

Marty
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com