Lotus Domino notes.ini Insecure Permissions

2004-01-08T06:00:24
ID OSVDB:3424
Type osvdb
Reporter OSVDB
Modified 2004-01-08T06:00:24

Description

Vulnerability Description

Lotus Domino on Linux installs with default insecure permissions. The notes.ini file is installed with world-writable permissions. This allows attackers to change critical configuration parameters and possibly execute arbitrary code as the Notes user.

Technical Description

This is only an issue on the Linux version.

It may be an issue on earlier versions of 6.x.

Changing configuration parameters can include changing the program called under certain conditions, allowing the attacker to (for example) open a shell as the notes user.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Change the permissions on the notes.ini file: chmod 660 notes.ini

Short Description

Lotus Domino on Linux installs with default insecure permissions. The notes.ini file is installed with world-writable permissions. This allows attackers to change critical configuration parameters and possibly execute arbitrary code as the Notes user.

References:

Secunia Advisory ID:10566 Other Advisory URL: http://www.excluded.org/advisories/advisory05.txt ISS X-Force ID: 14153 CVE-2004-0029 Bugtraq ID: 9366