Evaluate LotusScript method returns unexpected results

Technote (FAQ)


Question

Michael Gollmick of TIMETOACT Software & Consulting GmbH and Daniel Nashed of Nash!Com contacted IBM® Lotus® to report a potential LotusScript security vulnerability with Lotus Domino®. This issue has been fixed in Lotus Domino releases 7.0.2 Fix Pack 3 (FP3), 7.0.3 and 8.0 with the use of a new notes.ini parameter.

Cause

When using the Evaluate LotusScript method in conjunction with specific @ formula commands to design views and agents, it was found that unexpected results could be returned. In specific situations, the view or agent could return information of which the user normally would not be able to access. These results are dependent on how the view or agent is written, and which identity (server or user) is being used to execute the view or agent.
In the past, the security context default was the server, and thus in certain situations the server identity would be used.


Answer

This issue was reported to Quality Engineering as SPR# KEMG6M9RAU. Starting with Lotus Domino releases 7.0.2 Fix Pack 3 (FP3), 7.0.3 and 8.0, you will be able to control the security context with the notes.ini parameter Enforce_EffectiveUserRights_EvaluateCommand

This notes.ini parameter can be set to the value of 0 (Don't Enforce) or 1 (Enforce) to control whether the server context or user context is used. If this parameter is not set, then it will use the default for the specific version in use.

-- The default for Lotus Domino 7.0.2 (FP3) and 7.0.3 is "Don't Enforce"
-- The default for Lotus Domino 8.0 (or higher) is "Enforce"

You must recycle the Domino server after changing this parameter before it will be enabled.

Refer to the Upgrade Central site for details on upgrading Notes/Domino.


Additional Information
Ensure that the database design is tested with both a Lotus Notes client and Web browser to ensure that the database design returns the expected information.


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 3.5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 6.8 >
CVSS Temporal Score: < 2.7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 2.7 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < Single Instance >
  • Confidentiality Impact: < Complete >
  • Integrity Impact: < None >
  • Availability Impact: < None >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code >
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Domino
Security

Software version:

7.0, 8.0

Operating system(s):

AIX, Linux, OS/400, Solaris, Windows, z/OS

Reference #:

1273266

Modified date:

2007-10-24

Translate my page

Machine Translation

Content navigation