Bugtraq mailing list archives
Re: Security BugWare Advisory
From: Vinci Chou <CaptainBig () bigfoot com>
Date: Tue, 23 Oct 2001 10:58:45 +0800
irib () bunker freexion net wrote: > Whacking A Machine With Lotus Notes Mail > > PROBLEM >> SecurityBugware team found following, as posted on www.securitybugware.org :
>> With a little LotusScript in your mail, you can execute all what you want on
> the recipient's computer - even out of Notes. < snipped > This is nothing new and was one of the topic in blackhat. > SOLUTION >> The only solution is to desactivate the preview, and to delete the memo
> before reading it.No. This is NOT the only solution. The proper solution is ECL - Execution Control List. ECL is a security control mechanism that is available in both R4.6x and R5.x. Lotus already published an article on their website in April 2001 to remind users of the security implications. Go to
http://www.lotus.com/home.nsf/welcome/securityzone and select "Lotus Notes Stored Form Vulnerability" (Stored Form is another way of putting executable codes in a Lotus e-mail). Vinci
Current thread:
- Security BugWare Advisory Yann (Oct 22)
- <Possible follow-ups>
- Re: Security BugWare Advisory Vinci Chou (Oct 23)