The Cambridge, Massachusetts-based software company was responding to reports by a bug-hunting group renowned for discovering glitches in software products like Internet Explorer, Windows, and others, that discovered a flaw within a version of Notes client software that can expose database files to attack.
"First, Lotus characterizes this as a vulnerability and not a bug in Notes. Lotus is aware of the security vulnerability in Notes 4.6.X products...This affects only Notes 4.6 and higher," a company spokesperson said.
The Boston-based organization, called LOpht, posted a security advisory on its Web site recently saying it has received reports of a vulnerability in some implementations of Domino server via the Notes 4.6 client. The glitch affects companies that use Lotus Notes for development purposes or as a server on their intranets.
According to LOpht, the problem occurs when a user, through the Notes client, opens any given database and previews the information in their browser, which runs the HTTPD (Hyper-Text Transport Protocol Daemon) task. That task then accepts connections through a port.
With this completed, "anyone on the Internet" can then access the program and get a listing of the available databases. "Subsequently you could open the log and see the database(s) the given user was recently accessing or modifying," LOpht researchers wrote in their advisory.
However, Lotus described a slightly different way in which the problem can be invoked, saying it occurs only under a specific sequence of circumstances, and thus is extremely difficult to exploit. In essence, 4.6.X allows Web application developers to preview applications as they would appear on the Web. The problem only occurs when a developer tests an application by previewing the information in their browser. It is only during this process that an external party could access available databases on that particular client machine, and only if the external party has Access Control Lists which allow access by anonymous users.
When the glitch is tripped, bogus users can search around and basically manipulate documents that do a wide variety of things, according to the advisory. Domino URL commands, which can be used to edit, delete, and manipulate files through the Web, can be found easily on documents or through Notes newsgroups, LOpht said.
The impact of the glitch could be damaging to Notes customers. LOpht said remote intruders can potentially retrieve, through the database, confidential company records and more.
Lotus said users of notes 4.6.X offerings will be able to upgrade within a month to Notes 4.6.2A, which will protect them from this possible security issue. In addition, the flaw will not affect users of Notes R5.
The bug research firm does provide a temporary solution to the problem. Access control lists, the mechanism used for setting the server's security permissions, need to be edited manually by an administrator to ensure tight security. LOpht said, for example, if domlog.nsf could be read, that alone is a security breech. For a workaround, they advise administrators to set up routing filters to disallow access to the HTTP port of Notes client only machines.
Lotus backed the solution provided by LOpht and added that information concerning security protection in Notes and Domino is included with Notes software.
LOpht said the new problem could also exacerbate an earlier flaw discovered in Domino.
As reported in January, LOpht discovered a problem, not an actual bug, that allowed any Web user to write to and exploit remote server drives and change server configuration files, according to LOpht. What turned out to be a design flaw gave unauthorized users unrestricted access to default Domino databases.
Lotus did not issue a patch or update to fix the flaw. Instead the company posted a technical note to its Web site instructing administrators on ways to avoid any security violations as a result of the flaw.