Info

Disclosure

Oct 18, 2006

Discovery

Jul 22, 2005

Dates

Exploit

Unknown

Solution

Unknown

Description

Lotus Notes contains a flaw that may allow a malicious user to manipulate application's files. The issue is triggered due to default permissions that grant "Everyone" group "Full Control" on the 'notes' directory and all child objects. It is possible that the flaw may allow arbitrary files manipulation resulting in a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Authentication Management, Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Concern

Solution

Upgrade to version 7.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

International Business Machines Corporation	Lotus Notes	6.5.4
		6.5.5
		6.5.6
		7.0.0
		7.0.1

References

Secunia Advisory ID: 19537 27342
CVE ID: 2005-2454 (see also: NVD)
SCIP VulDB ID: 2620
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-08/0355.html
http://archives.neohapsis.com/archives/bugtraq/2007-08/0359.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0375.html
Other Advisory URL: http://secunia.com/secunia_research/2005-29/advisory/
Vendor Specific Advisory URL: http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773
Vendor URL: http://www.lotus.com/products/product4.nsf/wdocs/noteshomepage

Credit

Carsten Eiram - -

Direct URL: http://osvdb.org/29761

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

International Business Machines Corporation

Lotus Notes

References

Credit