Is R5 exposed to stored forms exploits?

From: Grank D'souza (gd_souzaat_private)
Date: Mon Sep 17 2001 - 22:09:20 PDT

Next message: pguentherat_private: "Re: Is R5 exposed to stored forms exploits?"

Previous message: Dom De Vitto: "RE: Unscrupulous websites installing apps"
Next in thread: pguentherat_private: "Re: Is R5 exposed to stored forms exploits?"
Reply: pguentherat_private: "Re: Is R5 exposed to stored forms exploits?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------------------Short version of the issue-------------------------
Is R5 Domino/Notes environment vulnerable to the stored form exploit over 
the Internet?

It seems that SMTP-routing stored forms emails changes them into attachments 
and Notes-routing stored forms requires cross-certification.

Given these two issues, is the danger of stored forms from Internet still a 
reality?

-------------------Long version of the issue----------------------------
It has been long known and recently publicized (DefCon 7/2000, BugTraq 
2/2001, Lotus 4/2001) that stored forms (also called active content, 
mailbombs etc) via emails can carry malicious code.

In R4.x world, an internet attacker could embed malicious code written in 
LotusScript in emails and send them by choosing "Maintain Notes format via 
the Internet" (or such some option available in Actions - Special Options 
menu ).  This email when read by the recepient would cause damage(there was 
no need to launch any attachments).

With the R5 release, one can route messages over the Internet using "SMTP 
routing" or "Notes routing".

The use of an R5 machine process SMTP-routed emails converts the stored 
forms into the annoying attachments called either "encap2.ond" or "c.dtf".  
These attachments can't be easily launched and the stored form code is not 
easily executed.

The use of "Notes routing" - can maintain stored forms - but requires 
cross-certification (so I have been told).  Again an attacker would not be 
capable of cross-certifying.

Lotus still recommends that stored forms be disabled in R5 - but does not 
specify if the exposure is from internal users or external users.

So, do we still have an exposure from stored forms in R5 - or can we sleep 
peacefully at night?

I appreciate your expertise and input on this matter.

Regards.

- Grank.
------------------------------------------------------------------------

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Next message: pguentherat_private: "Re: Is R5 exposed to stored forms exploits?"
Previous message: Dom De Vitto: "RE: Unscrupulous websites installing apps"
Next in thread: pguentherat_private: "Re: Is R5 exposed to stored forms exploits?"
Reply: pguentherat_private: "Re: Is R5 exposed to stored forms exploits?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 16:02:47 PDT