 |
Software > Lotus >
|
|
|
|
Evaluate LotusScript method returns unexpected results
|
| | | | Question | | Michael Gollmick of TIMETOACT Software & Consulting GmbH and Daniel Nashed of Nash!Com contacted IBM® Lotus® to report a potential LotusScript security vulnerability with Lotus Domino®. This issue has been fixed in Lotus Domino releases 7.0.2 Fix Pack 3 (FP3), 7.0.3 and 8.0 with the use of a new notes.ini parameter. | | | | | Cause | When using the Evaluate LotusScript method in conjunction with specific @ formula commands to design views and agents, it was found that unexpected results could be returned. In specific situations, the view or agent could return information of which the user normally would not be able to access. These results are dependent on how the view or agent is written, and which identity (server or user) is being used to execute the view or agent.
In the past, the security context default was the server, and thus in certain situations the server identity would be used. | | | | | Answer | | This issue was reported to Quality Engineering as SPR# KEMG6M9RAU. Starting with Lotus Domino releases 7.0.2 Fix Pack 3 (FP3), 7.0.3 and 8.0, you will be able to control the security context with the notes.ini parameter Enforce_EffectiveUserRights_EvaluateCommand This notes.ini parameter can be set to the value of 0 (Don't Enforce) or 1 (Enforce) to control whether the server context or user context is used. If this parameter is not set, then it will use the default for the specific version in use.
-- The default for Lotus Domino 7.0.2 (FP3) and 7.0.3 is "Don't Enforce"
-- The default for Lotus Domino 8.0 (or higher) is "Enforce"
You must recycle the Domino server after changing this parameter before it will be enabled.
Refer to the Upgrade Central site for details on upgrading Notes/Domino.
Additional Information
Ensure that the database design is tested with both a Lotus Notes client and Web browser to ensure that the database design returns the expected information.
|
CVSS Base Score: < 3.5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 6.8 >
CVSS Temporal Score: < 2.7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 2.7 > | Base Score Metrics: - Related exploit range/Attack Vector: < Network >
- Access Complexity: < Medium >
- Authentication < Single Instance >
- Confidentiality Impact: < Complete >
- Integrity Impact: < None >
- Availability Impact: < None >
| Temporal Score Metrics: - Exploitability: < Proof of Concept Code >
- Remediation Level: < Official Fix >
- Report Confidence: < Confirmed >
| | References: |
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links. | | | | | | | | | |
|
|
| IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. |
|
|
|
|
| Please take a moment to complete this form to help us better serve you. |
|
 |
|
|
|
|
|
|
| Product categories: |
|
| | Software | |
| | Messaging Applications | |
| | Advanced Messaging | |
| | Lotus Domino | |
| | Lotus Domino Server | |
|
| Operating system(s): |
| |
AIX, Linux, OS/400, Solaris, Windows, z/OS
|
|
| Software version: |
| |
6.5, 7.0, 8.0
|
|
| Reference #: |
| |
1273266
|
|
| IBM Group: |
| | Software Group |
|
| Modified date: |
| | 2007-10-24 |
|
|
