Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


IBM Plugs Two Holes in Lotus Domino Security



 By: Brian Prince
2007-03-28
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The company patches flaws that could have allowed hackers to execute code remotely in Lotus Domino Web Access, Lotus Domino Server 7.0.1

IBM has patched two vulnerabilities uncovered last year in its Lotus Domino product line.

Both vulnerabilities were fixed in Lotus Domino 6.5.6 and 7.0.2 Fix Pack 1. Last August, Sterling, Va.-based iDefense Labs reported a cross-site scripting vulnerability affecting IBM Lotus Domino Web Access, a Web-based messaging and collaboration interface for the Lotus Domino server.

Resource Library:
"The vulnerability specifically exists due to improper HTML filtering of e-mail message contents. Although Web Access attempts to filter out HTML and script code, certain code sequences will bypass the filters and successfully execute JavaScript," according to iDefense.

IBM officials stated in an advisory that the Active Content Filter feature needed to be updated to thwart the attack.

Read more here about IBM Lotus taking social networking to new heights.

The second flaw is a heap overflow vulnerability affecting IBM Lotus Domino Server software, which provides messaging and scheduling capabilities on a number of operating systems. If a hacker were to exploit the vulnerability in the directory service (LDAP) component of IBMs Lotus Domino Server 7.0.1 remotely, the hacker could cause a denial of service or execute arbitrary code. It was reported to IBM by iDefense in October.

"When a malformed request is made to the LDAP component of a Lotus Domino Enterprise Server, a heap overflow can be triggered," according to a security alert posted by iDefense. "The vulnerability specifically exists in the handling of strings larger than 65,535 bytes. When a string longer than this value is encountered, the service allocates memory using only the lower 16 bits of the string length. Since the entire string is subsequently copied into the newly allocated buffer, a heap-overflow occurs."

Although the service does not run as root, it does run as the same user as many other components of the Lotus Domino Server and therefore an attacker may gain access to sensitive information or subvert the server. In order to attempt exploitation, however, attackers must be able to connect to the LDAP service, according to the iDefense advisory.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: IBM Plugs Two Holes in Lotus Domino Security
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}kw⸲Z4C'ƼCC/{{<1mгO/g?q㭒y QJURTzCgo@.lE31?xY"ͽ7o ͟42yI[ mWFFU7MQT~wM +1U|4u{#|b9oފ;| `OS{SMuD7!71\2=16)\ 3mib ^Qkс_5xJpGDru#$IDvgV'AySG Y߃"C)O*ذ)tG(%*F0H>;V6zN#k~|=Y¬ZA/5sLe~DNM[ ,Jɓ ڭ@5ltiod23!!kKŽ}Y۹ߜq@ؓ&IthmUb'#bx#ڦ^ ^]6m&\./2_ )SÄ(S,]c9ٮ^8Ќjꊋ'Q/!(ওҀ [8/F^yye["˭Uֶ5^z7v홥kO|Yb!6bJmCO|t5ś0 ڮ L\}`_DQr=M5 .g龨wu9_*$ b&ku{0,~LÚ=NNF_{R9/˒T]uί3ć CS5-(rAT\vNnY\u?/.ފ-NVT߈ QT"*B>IuubAG${/@BKkVQWB-b Kr].HH.պ1;H0CВF^R >ϦU}s}I}r~|i!|#9ĐTd行 KW+֟㽡jq{vz|q۹:Y?vN=$O%tk(tf~R|YmUk_nG}_A$[C9[`-TϼCb{t&j]8蜐 Q<ퟒ_XB1E}!8r;7#ceQc5sehӀ7'd8g[2, n\VЎ,Zڦ-MtEÿ#E/$Lu_!X]53fI52(,Eg5@Nu 1hbhksvf8,8ř/\P%P_Ƣ[0jJt$Iq1{N05c6m ˊ(>(2胂:mXj.sWԉAhnNtHgxP\=譫Rg&v/>t}c{N##@E$7 t"ز=y3c)иAs L΃bromM^(gEn0T<мa !yjw;TjPf,u]<2Gc :GX[W S&xk3U'[0$Ϸ"J}#>] #WIA4eN|4"BQFeT * g3c"M@#'s [NXk KŸ\*u"XJm'8.=ȗJ"JX*&Qo90/1LsdRAUU g9!yU#\U]ᛦLMam`DݚA,,UTքhdla8Bdp{<3L`  [P' '5$".n* byOa5]sÙ5h[#=ۼ 3ݟ1yaY@ {9(eTnN 6C \ V?,=@ 798k9^\!QMCl VXaOv!vn'6`F 2VS w$mӰ&KTbۊv.S9n! pW&i 2eOyUfd (:f[oȬ,.7 \IZebd,U9aXScXMϠD@u7<=QbJJv >Zh'F6ec p!jlYWn%,joJҴ.@T8$74Bʶd/^[a`֩%ҧ֡ԅ@&(h +ezx% te2kqn Pxl {8k)=Pe Kӈ0qdIDXƣ- : 9P 8&~ߟLwLt;Ij׳luv=I>^*!(>]Om?} 8,=\bzv&!TR&h ، 9_1Gۢp\BMX@h@S`wE.WݡmΧXΰw^vп~5Ft4ݴۄ!֭C= D5*0۠ F] s]řt-|*o&rI*q܏9&"Gč[d*ЧMPmC:f[tMV9 QZV|\.aj6|*2PaG;rSE ealynnGkafmj{>80C5Kw=>Ul6$#Qָu&p0=]qՉ8{;S$`n6(ңpHL`_\P "/$*Oj-[h[ݥt)_y/#O(w,橡3 "cSSgm֠J@\C~%T(FHpM1Z҇"qUI-+*l wq0rAs5bRB",b?!KG۬#̷Ou9^i>\S˭@x(C@L:- G(b`;>ީVQ=Hm0U-q#/UjB~6g+z{o֒.8Fh2Q@G"CG[t *Pus8*K5v3VxJ:m^~,^yޢzr}!Yh993i328z-^O)Lˑ3\zYJl8[5־P5+V{H_Ԏ7RGͤ`:Ɔ}C5 ӇRl0:.>] 3p3n2R%-y~VֱF5H1pl a%XQfx,+K&9hh25BWJ9=*5S| U&# Ak5VJ`絟_㊟-L6bf T(U@\ )3'*3WߩSq:Rf޿yi?G2:eQHVU|qwVP]]">v2?/e!v^*TҤƀ$/MyR,Wkۊ;,H| KFWb/թdQ,<ӦT)*OeP%DBFƱq섗 ")̍ҸfXhMl<ryxKMݯ$DxOCVjFgA 2-6ǟP1Ή~C0 ~R" }M3gX]xzLg#{? 7){ZOGxG] _w{~{uD(DXyyC ՒRjeй:mrDJut?\ 6LED, ȅ Xq$9Ĩʐ}/vnv 7mv>N2E4re}I{ѽas⽎׼Γ!uB9!pVv&fڎ6)N #Yzq:KD8 ỳ@ ycޜo4c9NgL]c Vu4gVﭨIАcŷݜ8! tXN;{lH=lgV8 ٟB`/ٻ|Z8w[q*A#sYd XJ=vl/Nt% $|^ =\D̋9'Jwt=2aԂ;(o"%(P"Y:0KҤEssdW]E}{Շ(4.3{P"^oGY D ]=ԡPPSB6Mmdine9<]--^Sr>\DE @OɋwG]_|Q{ճY{+&i8W=:okQ\ezZU~D Rۤm?z 2'r|5Zgqd"Lư2^C%F[uw+[cgcc;/F%%wox {Ϧ)خ!_кqŵZǴ qVԱQ*_2$;lߖ6ւ1v̙[ʈ1WcZ­*n}e b ֒K0K,\H ~=Uq y;tEr,ZQĶol d<}jXK3{voK1+(&&/aREI51Y|Rae.꿶 P ۟yu_1ii6 p;76|i)y{Ї6㙡1"04:5Rу9ژɊ?ީ FfkP>yZ 8tUaͧ8Kptn?Ånn[]3W'ntcOwc\ile|q+Ts|ID673C67qg{i0(ǼAh6#{7J;Yl}/f%π̂}q x{8 F"d@s^i  ]\g?Fh2; cK7F"/ 5ia-@B^i) \b0] (S0l6xnFfp:T}4°R~h ?,9g|ÝxBOb%:,XXxNJ]y3bw}^ۃPd$Of^JRk+B2SVJjP+EXWׇhᲈm8\apu ěcOy!&1H K\ѐј4{]™ţO쉊98 X(0q\TRlb7_z ?/R i=nc<&~qwѓߦC=쟒\oDKAw8-k-gㇳɥӱe<ѩGxriHNh@&Z2ڋlӓ[e~SƺZ +04֚tK^f9oH5Whit,5_Ȗ4XRg ׶iR%kЭ1–FY5I& j) hӐ[ڒ_@~DX:Ltks&{D_C!HPj`f ,E1:py8 L45WK,}"^d! LD÷#@ghP9 ޷zOς {4w%) )I%EH"5w@#njY$5rkw4т'1ZU k,-%_U ڗaqZc׬:չ3@[(Y}BQ`a7.<&nf rX ɅVb^, M|daY홠`s HxŸU֯^Pˬ[1!5f49v(Ą؉'SS|llt5?NLZg~*IW3/M Hi>ڗ6|yi05b' Z , p{"(9$|vsH"@tՐK$@Ǯ8hXKIױ Iel|3X8;X"P?p+otH0X$ ߡ =L`(@0|R׷zn/Xѳ _ }c\(6He߳ z4Mw8HzFS E2$H zzbZ|r7nof'qxOm];zՓH`#99!Dțە{}#d/ 'wBaތ3wD"39ÍZai&v)i/d a˶,N)}{P? ysC lث2Ǧ;ׄ%T|oqAƾx=[oj,<>^yy۷@[pΡ6mxw Jdoze84$B>spm+ș:ߦ >m_y^,+ֈ*?"rzmY΅^_owKrj}9.ƽGW4t;烐9=IԬE5VX,h%"R0MG`u 8Y@dOQjb ,aK<wzr@lM?.y0k[Y V{%j9|{_Kު_xvUߢx"+Y4˿$or`'ŰKͧhMLm!޼xv1ZDo 6<0*kӣTv01S݃r*nFʼn=п9HVoCz(X6~cVxrr{4k1.V@1g$$ELz-:6].~ ʟ* CߥNDQuBcjS,k vf4j Su&ߞE[$H~H$O~n/|x|oL˯<͓LE574![<:;,'8Ȩ>bC$H5 ׅS?P=ˤv$O_nZYR3!bw%J:Zo 2X9$!X56 uF 2$'x}Y (Ti.w{;ZDvWι }~,>4i 4B?HCZZ>(򷷒M\IMt6G%Œ K'XSHr#@ a)q/1 S" r v4 f),p^4%J16njSwmT˯\y#;ZR,w)Gdo%_&.E(Ĩ(]Wwt\—ЀJT5sboh1,[H攙fkxc;Xymzۡ}mS;Xhfyl +-f3xB(MNșTU%8XhdoΘ;3c[K㠋mb|eXh6I̪Ẻbs"̶~B ? l퐟S|mS]ű-櫲T<宮:W ]c砡E4jɣn#/F#6Tj91s+[5P}c^b9_>PP*D(0Zr/1V=5bcGa/ `y z9}r4ֻkp1 /#ۍ @_t ;~ۊ+k2F t>άlG*nÕ TJ f&ϋW yFtpm ׯ0OyXg^K]agH\+L6m)x[jhwY܅8&0x*9 ɹb)ap I{ ?K1wa\_ 1VԞk}AO]P {dUh9mf\q뼐B\2ExA[{xb*bB1MM;P}3Y?d=ta'^^BQJكz(Z75 ަ]逻8;AF}hckcoIՄQT1< :~A:,Wr逄vh:A/Q!G)|~posM M3Ԥ7?<N9W roy8VI 8b ,i 3"|P\m3CsAڷv߾顅 Ci|nP^H}ڎ)n09d^'! ,υLm C{naЭ]r!,/>KfC&7 kp[:LZQ0Wwwj}UOI >\P g@L-;aXqAFY#h|GCOs3MGۧ14`Az\Nc]1")HD3-|TD}Jj++g1 saBuKqפ\ß5ec,{bgGǩ9fz.#_ϓ!P7]ΰ"@[ g o C 锁z%%n4Sht`_1™f40A8@"\p?2u~a2?: }:5 E25| \{~txˁQ"I|:M ;ӟyɏĎnsKL byNb $BнoVX!ޯֵP=q ><k̘_[+R)H Tꪄ λ"lc=Kҗx: ;Hı5z+IAΐ*:>i{H<TBOw'u71l]__|"g"g76}8t9n_to*oėwqIY}}ӹgg +1z;%6/MƋBY2 gW6Sf:NTy4uk̤9,% E *w"JB~7%)>ppN?gOa}y'U^\UuݔwAtSOK7E\}\5ԿNsB?=/e=/e}~ _B_!cZ>c>>o~oSڿMi6k CJ5nNpSKq /Wa uu_yV ?^`k)x.2 {)[i?[vO}׸F)]a--k{Z1j4 b/ BU(X2M"j+(31hpWZdcbh |{Hץ?~Vb构u]}\Lո]@&=ٻ˯,hcENj9&yQg΂'fo{cWL"z1Iɾ;'<%YØ/ܻCz̈n~vu"/TRg?P?5è> g m`Yw-3x$>=BGP%3Kk>ÓxwgY몮,j8“m(! 9q}2ى3joBg4D} HHZ·bX<A/+x z>O>th6@i\.׭mhͦd*sGSS'UQ !Pi}CQ+"D7)4\O9GGljS ;w{+~58]pƘ8ƶ= PiIdP(e|R3ĿD2L>=CJDH^(U8`ϴ)X,J D`Q>Ext6`";6UB` Es z!Bs1 4aԭxK_+BxO"Gt}[ZceHkf" jaNگD`}SwPsoqp=m iN#47ӽEfI2ؐZ{A[Rg軥@:ao@;Skh|ӄwYBDKhգ=ıٰtrP3l>ATq8zΥă]"s>oQ^ܺ']FGy/{eVU@v=_3Cc 2d yd:? @ HwȼO!'TCi&nh?s/ BC吠t#'_M_ȱ0Jnp[$b2 tBL/t TxɄ`wưo -F_ŸxLk2On3 *`Tp$֠=^AI![,HM;eB꯷ahknDk{l8ٷ]`iN ů݅NL{g@S*y1 Azbl)kӕsXKUwUWw.q^<,x`O OEk 6RW,/sQF:` * "X&$l }_I^d̓؋Uπϯ.~4gIkn=xh&ʎ$Lة݁:Qt˪C۾~2h=)A-,K`Zv$$ }= ڴཧVߞbsYTDڣco[zL .mW1}+(P‚DvZkJ2}kK05ۀGSL |1IK{u1ȅ#126pp523J &/L\=oy^D, - o*)j;cw]/I![AȹX.Nw R\u"1ʢ1?0?x$K0D'D[çARD~{TT zʲ t)Xl3%^z+:qk3Gek[Veلޡ_!Xj.Z"Iů?gM!И#B.8Fgd)0Pw.y㶁F":} 3 tbAd A{gEcd_vܥM)V m;)֍d2-1K`Xc \}wH v,tw^; qV' b3H?FrBy{Gkϖ`XXu!AY=-_c!0p,\ hzЇ6AxFKoA;)3(NA")QzTQޮ7Qi#TM[ ʢM 9ߵp߼,ٿvylFXg۩DtX `V|ֹM3Ϗp``2[ugZ=קg[K c& , $(jeVI6{{:7&iz-#cCv_~0h;?FÈA wLwǰiD!ʧ۹uw +7RO |-\`s{E_ۦLDXZ8/'3qȏ*|k2>u_#;]R*綉N-Z(7={KF  咳Y}c3Cv\[ -0Mr?;]Y4LCi61Ĝ`d*0_m1rtv.2hBIՏSP Lp˘9կ@,P փ/Oo|HF7Xe +|SA(:x2D#lBLb98n'j *b{F~"з:QH]A΃Uֳ8r },i4AB,W7~) 2bag8*n.ݖ/4Y=`r06rhtVpj^YHA?sDmVH@孙iR$+J*>R0Gctr^-W{#r*3QyVxұy3|5H%*{Ŕ>MRg0+JS,~U7X써nK{&8G0~[tWJò\ MteUD2Uێ87{sAL5Q@GՃV)K\Z]1358J.)s TGՠ&|?ތWw$Ł]H4!+" p.u pLRIʅ[.{:E/>7OA_Qrb/2 |6@ZPw DlKgs[(t?]X':|J$ss ǿAl<6)eA :VAŚ]6}YV[LZ;X|׍nCZj#xt׏ވ"S{0 53/qFHr=ʢrʼn7@cgX̓VD^iAƀTژi E&z9hBmČ.`QqDnc뛱:V>잡k]2aZ F 3vz=W8!Co'>i?:Ho%2 (26 ra]e9^ pp -`HyDTFE i!B_ @7#r%Q-I!xEHVͣi7P)zFOۭ rڐ@@u.> T#h;wtG#ޑw Y1nRG - 6<ٵOiۮ+6)ck7&ޙ#b hi2-N0+Ms(<Ǜ5)l1|n E*JF+Kxhse(γdf-JMkD 51 \mgtXB8p{o [64R9l'3{eǣC-qԬO;rP%us\>BWQ\iJ0-J53\&P8v;X6y&503:K'Lö#쐠7xp TށK&nqO|D!ث\OxkA4ɾ?]Wgݫpֺ\|:Z,y׫u~mJ }%>(y?Z}ҽ%nǭt?\ AAit-/ӽ9m'APOhi} bH%za,:#s%#d z*3¼\+h"$24AZ3! 0}&[6CHlo-;k1_\/e6aȎBS+k ǔ+S1E: 3+Ɲ͏";Lt K_A