iribat_private wrote: > Whacking A Machine With Lotus Notes Mail > > PROBLEM > > SecurityBugware team found following, as posted on www.securitybugware.org : > > With a little LotusScript in your mail, you can execute all what you want on > the recipient's computer - even out of Notes. < snipped > This is nothing new and was one of the topic in blackhat. > SOLUTION > > The only solution is to desactivate the preview, and to delete the memo > before reading it. No. This is NOT the only solution. The proper solution is ECL - Execution Control List. ECL is a security control mechanism that is available in both R4.6x and R5.x. Lotus already published an article on their website in April 2001 to remind users of the security implications. Go to http://www.lotus.com/home.nsf/welcome/securityzone and select "Lotus Notes Stored Form Vulnerability" (Stored Form is another way of putting executable codes in a Lotus e-mail). Vinci
This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 07:54:31 PDT