Some Lotus Domino servers can be attacked through the Notes client, Boston hacker group L0pht Heavy Industries has reported. The attack could take place when a user of Notes Client 4.6 or 4.6.1 previews a document in a web browser. This feature was not available in earlier versions of the client, and Lotus says the vulnerability will be fixed in 4.6.3A and 5.0. In launching the browser, the client opens its http daemon task, which then accepts connections on port 80. An attacker could conceivably use httpd to search around databases and manipulate documents. When the Notes Client is closed, the httpd task is also closed and the vulnerability disappears. It’s a very straightforward issue, said Lotus spokesperson Paul Davis, the vulnerability only occurs under very specific circumstances, which makes it hard for hackers to exploit. If knowledgeable administrators ensure that their access control lists are set to exclude access by unauthorized users, they will minimize the possible effects. In particular, administrators must change the default ACLs in the domcrfg.nsf database. L0pht points out that even sites that have done an otherwise thorough job of setting ACLs sometimes overlook this important database. Lotus said in a statement that it appreciates L0pht’s attention to the matter, as well as their help in alerting our user community to the important security settings they should make.
