Re: Lotus Notes

From: M. Zeeshan Mustafa (securityat_private)
Date: Wed Nov 27 2002 - 12:16:36 PST

Next message: Friendly Guy: "RE: Cisco UBR920 cable router - SNMP to change telnet passwords?"

Previous message: Parisi, Robert: "Insurance"
In reply to: svetsanjat_private: "Lotus Notes"
Next in thread: Grant Torresan: "Re: Lotus Notes"
Next in thread: Chad Loder: "Re: Lotus Notes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SKP,

Notes security architecture isn't bad at all, basically this threat
is because of wrong configuration at the beginning of the notes
installation. Solution is if you goto database access control list,
you can configure it there.

Yes this information can be used for exploiting, such as brute forcing
since there is global login attempt checks, you are still secure.

<quote>
On a notes client
its possible to click that page put not through http.
</quote>


Basically Lotus Notes' admin pages are built into using (a most part of)
LotusScript language, similar to visual basic that is ONLY accessible
by Notes Client not by any browser. Browser supports only
HTML/JavaScript and Formula Language
(that's compiled into JavaScript and HTML on server), that's why its
showing nothing in browser, but Notes client, hence unclickable.

<quote>
Is there a workaround url that bypasses that page?
</quote>


-- I guess not.

M. Zeeshan Mustafa
MCSD SCJP
Software Security Specialist & Architect
E: securityat_private
C: +92(0)300-9249567
W: http://www.zeeshan.net
----- Original Message -----
From: <svetsanjat_private>
To: <pen-testat_private>
Sent: Wednesday, November 27, 2002 11:28 AM
Subject: Lotus Notes


>
>
>
>
> We are doing a penetration testing for a client who has lotus notes. We
> were able to access the catalog.nsf file from the web and other admin
> pages such as the user list page, connections page database page etc.
>
> Question is, is this just a low level threat or can a hacker use this
> info to hack further. Also clicking on some of the admin pages brings up
> a default page which says click here to access page. On a notes client
> its possible to click that page put not through http. Is there a
> workaround url that bypasses that page?
>
> SKP
>
>
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Friendly Guy: "RE: Cisco UBR920 cable router - SNMP to change telnet passwords?"
Previous message: Parisi, Robert: "Insurance"
In reply to: svetsanjat_private: "Lotus Notes"
Next in thread: Grant Torresan: "Re: Lotus Notes"
Next in thread: Chad Loder: "Re: Lotus Notes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:34:34 PST