Michael Gollmick of TIMETOACT Software & Consulting GmbH and Daniel Nashed of Nash!Com contacted IBM® Lotus® to report a potential LotusScript security vulnerability with Lotus Domino®. This issue has been fixed in Lotus Domino releases 7.0.2 Fix Pack 3 (FP3), 7.0.3 and 8.0 with the use of a new notes.ini parameter.
When using the Evaluate LotusScript method in conjunction with specific @ formula commands to design views and agents, it was found that unexpected results could be returned. In specific situations, the view or agent could return information of which the user normally would not be able to access. These results are dependent on how the view or agent is written, and which identity (server or user) is being used to execute the view or agent.
In the past, the security context default was the server, and thus in certain situations the server identity would be used.
This issue was reported to Quality Engineering as SPR# KEMG6M9RAU. Starting with Lotus Domino releases 7.0.2 Fix Pack 3 (FP3), 7.0.3 and 8.0, you will be able to control the security context with the notes.ini parameter Enforce_EffectiveUserRights_EvaluateCommand
This notes.ini parameter can be set to the value of 0 (Don't Enforce) or 1 (Enforce) to control whether the server context or user context is used. If this parameter is not set, then it will use the default for the specific version in use.
-- The default for Lotus Domino 7.0.2 (FP3) and 7.0.3 is "Don't Enforce"
-- The default for Lotus Domino 8.0 (or higher) is "Enforce"
You must recycle the Domino server after changing this parameter before it will be enabled.
Refer to the Upgrade Central site for details on upgrading Notes/Domino.
Ensure that the database design is tested with both a Lotus Notes client and Web browser to ensure that the database design returns the expected information.
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 3.5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 6.8 >
CVSS Temporal Score: < 2.7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 2.7 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.