Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Hacking Domino (Penetration: from Application down to OS. Getting OS Access Using Lotus Domino Application Server Vulnerabilities )

From: Alexandr Polyakov <alexandr.polyakov () dsec ru>
Date: Thu, 29 Apr 2010 00:42:48 +0400


New Whitepaper from Digital Security Research Group (dsecrg.com)

Penetration: from Application down to OS. Getting OS Access Using Lotus Domino Application Server Vulnerabilities


This whitepaper continues a series of publications made by DSecRG
researchers describing various ways of obtaining access to the server operating system,
using vulnerabilities in popular business applications which meet in the corporate environment.

This time we will talk about Lotus Domino – a very popular application that provides enterprise-grade e-mail,
collaboration capabilities. This system stores a huge amount of critical corporate data and represents
a good target for a potential attacker. Also people must be aware of that this system is usually available
from the Internet and can be hacked to get access to the operation system of the server in DMZ and then to
the internal servers of corporate environment and in this paper we will show how to do this.


This whitepaper has been made to inform people of the importance of business application security
as these applications store critical business data and can represent targets for hacker attacks.
According statistics of the latest security assessments, pen-tests and application security assessments
performed by Digital Security, applications are the less secured chain in the complex IT system security area.

Download from:

http://dsecrg.com/pages/pub/show.php?id=24


About Author 

Alexander Polyakov is now working as a director of security audit department in the Digital Security company. He is 
also a head of Digital Security Research Group (dsecrg.com). He is one of the contributors of PCIDSS.RU Community.   
The expert in enterprise applications and database security, he has found a lot of vulnerabilities in products of such 
vendors as SAP, Oracle, IBM, Sun and many others. The author of multiple whitepapers about IT security and compliance 
and particularly about enterprise application security. The author of "Oracle Security from the Eye of the Auditor: 
Attack and Defence" book. Alexander Polyakov is owning a PCI QSA and PA QSA status.

About company

Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit 
and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005, PCI 
DSS and PA-DSS standards. 
Digital Security Research Group focuses on enterprise application and
ERP and SAP security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
 
Contact:     research [at] dsecrg [dot] com 
                    http://www.dsecrg.com 
  



Polyakov Alexandr. PCI QSA,PA-QSA
Head of security audit department
Head of Digital Security Research Group
______________________
DIGITAL SECURITY
phone:  +7 812 703 1547
        +7 812 430 9130
e-mail: a.polyakov () dsec ru  
www.dsec.ru
www.dsecrg.com
www.pcidss.ru


-----------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure 
is strictly prohibited. If you have received this message in error, please notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding 
statements by e-mail unless otherwise agreed. 
-----------------------------------      


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: