Re: Lotus Notes

SKP, Notes security architecture isn't bad at all, basically this threat is because of wrong configuration at the beginning of the notes installation. Solution is if you goto database access control list, you can configure it there.

Yes this information can be used for exploiting, such as brute forcing since there is global login attempt checks, you are still secure.

<quote>
On a notes client
its possible to click that page put not through http. </quote>

Basically Lotus Notes' admin pages are built into using (a most part of) LotusScript language, similar to visual basic that is ONLY accessible by Notes Client not by any browser. Browser supports only HTML/JavaScript and Formula Language
(that's compiled into JavaScript and HTML on server), that's why its showing nothing in browser, but Notes client, hence unclickable.

<quote>
Is there a workaround url that bypasses that page? </quote>

• I guess not. M. Zeeshan Mustafa MCSD SCJP Software Security Specialist & Architect E: security@zeeshan.net C: +92(0)300-9249567 W: http://www.zeeshan.net ----- Original Message ----- From: <svetsanj@hotmail.com> To: <pen-test@securityfocus.com> Sent: Wednesday, November 27, 2002 11:28 AM Subject: Lotus Notes

>
>
>
>
> We are doing a penetration testing for a client who has lotus notes. We

--

> This list is provided by the SecurityFocus Security Intelligence Alert


(SIA)

> Service. For more information on SecurityFocus' SIA service which


see:

> https://alerts.securityfocus.com/

>

>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/