IBM Support

Lotus Notes URI Handler Argument Injection Vulnerability

Technote (FAQ)


Jouko Pynnonen, in association with iDEFENSE, reported a vulnerability in the Lotus Notes 6.x client that may allow an attacker to execute malicious code on the user's workstation under certain circumstances.

The iDEFENSE advisory address is as follows:

The Notes URI handler fails to properly filter input when a web browser activates the Notes client by clicking on a Notes URI.


This issue was reported to IBM Lotus software Quality Engineering and has been resolved in Notes 6.0.4 and 6.5.2. For information on obtaining these latest release of Lotus Notes, refer to "Lotus Notes and Lotus Domino 6.x Maintenance Releases (MRs)" (#4007057). This issue does not occur in Notes R5 or 4.6x releases.

This exploit can be prevented if the use of Internet shares is restricted via firewall configuration or registry settings. It will also fail if the Notes client is already running on the user's workstation.

Document information

More support for: Lotus End of Support Products
Lotus Notes

Software version: 6.0, 6.5

Operating system(s): Windows

Reference #: 1169510

Modified date: 12 September 2004

Translate this page: