Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Is R5 exposed to stored forms exploits?

From: "Grank D'souza" <gd_souza () hotmail com>
Date: Mon, 17 Sep 2001 22:09:20 
--------------------Short version of the issue-------------------------
Is R5 Domino/Notes environment vulnerable to the stored form exploit over the Internet?
It seems that SMTP-routing stored forms emails changes them into attachments and Notes-routing stored forms requires cross-certification.
Given these two issues, is the danger of stored forms from Internet still a reality? 

-------------------Long version of the issue----------------------------
It has been long known and recently publicized (DefCon 7/2000, BugTraq 2/2001, Lotus 4/2001) that stored forms (also called active content, mailbombs etc) via emails can carry malicious code.
In R4.x world, an internet attacker could embed malicious code written in LotusScript in emails and send them by choosing "Maintain Notes format via the Internet" (or such some option available in Actions - Special Options menu ). This email when read by the recepient would cause damage(there was no need to launch any attachments).
With the R5 release, one can route messages over the Internet using "SMTP routing" or "Notes routing".
The use of an R5 machine process SMTP-routed emails converts the stored forms into the annoying attachments called either "encap2.ond" or "c.dtf". These attachments can't be easily launched and the stored form code is not easily executed.
The use of "Notes routing" - can maintain stored forms - but requires cross-certification (so I have been told). Again an attacker would not be capable of cross-certifying.
Lotus still recommends that stored forms be disabled in R5 - but does not specify if the exposure is from internal users or external users.
So, do we still have an exposure from stored forms in R5 - or can we sleep peacefully at night? 

I appreciate your expertise and input on this matter.

Regards.

- Grank.
------------------------------------------------------------------------

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Previous By Date Next
Previous By Thread Next

Current thread: