Re: Lotus NOTES

From: dsanchez@sanchezsantiago.com
Date: 12/02/02

Next message: David Litchfield: "Re: Windows Heap Overflows In General"

Previous message: Dom De Vitto: "RE: "download" caps"
In reply to: Bruno Mosconi: "Lotus NOTES"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Bruno Mosconi" <bmosconi@fnazca.com.br>
From: dsanchez@sanchezsantiago.com
Date: Mon, 2 Dec 2002 08:46:46 -0500

Most of the security issues associated with Lotus Notes is due to bad
implementation, bad setup, and lack of well thought security policies. One
of the most important pre-implementation tasks is to plan how to manage
the Lotus PKI (how to create and manage the certifier IDs, how to
distribute and manage the private keys to users, key recovery, etc.).
Another major issue many times overlooked is to not take the default
access control settings for server security, databases, and templates. You
need to look at each one and adjust them as needed. Proper planning is
key.

IBM Redbook - Lotus Notes and Domino R5.0 Security Infrastructure
Revealed:
http://publib-b.boulder.ibm.com/redbooks.nsf/RedbookAbstracts/sg245341.html?Open

Lotus security zone reference of papers and publicly known security
issues:
http://www.lotus.com/developers/itcentral.nsf/wDocs/securityzone

Lotus Development Domain newsletter (look for articles regarding
security):
http://www-10.lotus.com/ldd/today.nsf

Lotus Fix list database (includes the current and planned security fixes
by version):
http://www-10.lotus.com/ldd/r5fixlist.nsf

Bugtraq:
http://www.securityfocus.com

Regards,
Deoscoidy Sanchez

"Bruno Mosconi" <bmosconi@fnazca.com.br> wrote on 11/28/2002 01:07:34 PM:

> Does anyone knows a good source of Lotus Notes security
> issues/holes?
>
> []'s Bruno Mosconi
> F/Nazca S&S - AdverSiting
>
> ----------------------------------------------------------------
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
received
> this in error, please contact the sender and delete the material from
any
> computer.
> ----------------------------------------------------------------

Next message: David Litchfield: "Re: Windows Heap Overflows In General"
Previous message: Dom De Vitto: "RE: "download" caps"
In reply to: Bruno Mosconi: "Lotus NOTES"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Lotus Notes: File attachments may be extracted regardless of document security
... Subject: Lotus Notes: File attachments may be extracted regardless of document security ... This report is currently under investigation by Lotus and is being tracked ... if you know the Object ID of a file attachment you can ...
(Bugtraq)
Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c)
... NGSSoftware Insight Security Research Advisory ... Lotus iNotes Client ActiveX Control Buffer Overrun ... NGSSoftware alerted IBM/Lotus to this issue on the 14th of January 2002. ...
(NT-Bugtraq)
[NEWS] Lotus Notes/Domino R6-beta PROTOS LDAP Denial of Service Regression
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lotus Domino R5.0.7 and earlier were affected by the PROTOS LDAP issues, ... While regression testing the pre-release and beta versions of Lotus Domino ... Credit for discovery of this vulnerability goes to the PROTOS project. ...
(Securiteam)
Re: Confirmed Cases Of Trapdoors By Overseas Programmers ?
... >>>.....and the Lotus Notes case. ... Lotus certainly told the world, the Swedish Government didn't read the ... "differential workfactor cryptography" and was never hidden. ... In a Keynote speech given at the opening of the RSA Data Security ...
(comp.security.misc)
Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c)
... NGSSoftware Insight Security Research Advisory ... Lotus iNotes Client ActiveX Control Buffer Overrun ... NGSSoftware alerted IBM/Lotus to this issue on the 14th of January 2002. ...
(Bugtraq)