Reported June 26, 2004, by
iDefense
VERSIONS AFFECTED
- Lotus Notes 6.5 and 6.0.3
|
DESCRIPTION
A vulnerability in the Lotus Notes client can let an attacker execute malicious
arbitrary code on the vulnerable system. Because of insufficient character
filtering on the argument passed to notes.exe from the "notes:" Uniform
Resource Identifier (URI) request, an attacker can to force a user to start
Lotus Notes with a custom notes.ini file that's under the attacker's control
and that specifies a custom data directory also under the attacker's control.
The attacker can create a malicious DLL containing arbitrary code that's loaded
and executed when notes.exe starts. The Notes URL handler fails to properly
filter input when a Web browser activates the Notes client by clicking a Notes
URL.
VENDOR RESPONSE
IBM has released bulletin SPR# KSPR5X6VEA, "Lotus Notes URL Handler Argument
Injection Vulnerability," to address this vulnerability and recommends
that affected users apply the appropriate patch listed in the bulletin.
CREDIT
Discovered by Jouko Pynnonen.