Lotus Notes does not adequately secure databases thereby permitting arbitrary user to extract file attachments via NSFDbReadObject function call

Overview

Lotus Domino Servers 5.x, 4.6x, and 4.5x allow users to associate objects with documents in a database. While these objects appear to be a part of the document, they are actually stored as separate files. A vulnerability exist by which an intruder could view these objects regardless of the permissions set on the document to which they belong.

Description

Lotus Notes allows users to associate objects with documents in a database. While these objects appear to be a part of the document, they are actually stored as separate files. Access to the documents and objects are controlled by the database ACL, however, the use of the Reader and Author lists can further restrict access to individual documents . The Reader and Author lists modify access only to the documents themselves and not to associated objects. Therefore an intruder who does not have access to a document, because of permissions set by the Reader and Author lists, can still access the objects associated with that document. Using Notes API calls an intruder can directly open the desired object if the Notes unique document ID of that object is known. The intruder must be able to access the target database in order to exploit this vulnerability. Lotus has released a Tech Note to address this problem.

---

Impact

An intruder can view objects that they do not have permission to view.

---

Solution

Upgrade to Notes/Domino R5.0.10.

---

A workaround is to use document encryption to protect rich text fields that contain attachments. Documents can be encrypted using either public encryption keys (for example, the keys of the users listed in the reader names field) or using secret encryption keys.

---

Vendor Information

657899

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Lotus __ Affected

Notified: September 18, 2001 Updated: April 08, 2002

Status

Affected

Vendor Statement

R5.0.10 is now available and the technote has been updated

http://www-1.ibm.com/support/manager.wss?rs=1&rt=0&org=sims&doc=CCA46CF459BA6E4A85256AE3007C92C1

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23657899 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• http://www-1.ibm.com/support/manager.wss?rs=1&rt=0&org=sims&doc=CCA46CF459BA6E4A85256AE3007C92C1
• <http://www.notes.net/r5fixlist.nsf/6d4eae9850a5c2c28525690400551b57/c70d32759ce081f085256b8000792907?OpenDocument&gt;

Acknowledgements

This vulnerability was discovered by Joshua Jore.

This document was written by Jason Rafail and is based on the Tech Note released by Lotus to address this issue.

Other Information

CVE IDs:	CVE-2002-0037
Severity Metric:	1.41 Date Public: