Yes it still is under certain conditions: - The Notes mailbox is set to accept stored form - The ECL settings for the worksation allowing to do anything. By default the notes mailbox is set to allow the usage of stored forms where you can store a malicious code Starting release 5.0.2 the default ECL has been defaulted not allow any operation for the malicious code. Now if a user opens it's ECL, ( The operation is done at workstation level and is global to workspace) yes the risk still exist Patrick "Grank D'souza" <gd_souzaat_private> 18.09.2001 00:09 To: vuln-devat_private cc: Subject: Is R5 exposed to stored forms exploits? --------------------Short version of the issue------------------------- Is R5 Domino/Notes environment vulnerable to the stored form exploit over the Internet? It seems that SMTP-routing stored forms emails changes them into attachments and Notes-routing stored forms requires cross-certification. Given these two issues, is the danger of stored forms from Internet still a reality? -------------------Long version of the issue---------------------------- It has been long known and recently publicized (DefCon 7/2000, BugTraq 2/2001, Lotus 4/2001) that stored forms (also called active content, mailbombs etc) via emails can carry malicious code. In R4.x world, an internet attacker could embed malicious code written in LotusScript in emails and send them by choosing "Maintain Notes format via the Internet" (or such some option available in Actions - Special Options menu ). This email when read by the recepient would cause damage(there was no need to launch any attachments). With the R5 release, one can route messages over the Internet using "SMTP routing" or "Notes routing". The use of an R5 machine process SMTP-routed emails converts the stored forms into the annoying attachments called either "encap2.ond" or "c.dtf". These attachments can't be easily launched and the stored form code is not easily executed. The use of "Notes routing" - can maintain stored forms - but requires cross-certification (so I have been told). Again an attacker would not be capable of cross-certifying. Lotus still recommends that stored forms be disabled in R5 - but does not specify if the exposure is from internal users or external users. So, do we still have an exposure from stored forms in R5 - or can we sleep peacefully at night? I appreciate your expertise and input on this matter. Regards. - Grank. ------------------------------------------------------------------------ _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:48:26 PDT