Reported June 26, 2004, by iDefense

VERSIONS AFFECTED

  • Lotus Notes 6.5 and 6.0.3

DESCRIPTION
A vulnerability in the Lotus Notes client can let an attacker execute malicious arbitrary code on the vulnerable system. Because of insufficient character filtering on the argument passed to notes.exe from the "notes:" Uniform Resource Identifier (URI) request, an attacker can to force a user to start Lotus Notes with a custom notes.ini file that's under the attacker's control and that specifies a custom data directory also under the attacker's control. The attacker can create a malicious DLL containing arbitrary code that's loaded and executed when notes.exe starts. The Notes URL handler fails to properly filter input when a Web browser activates the Notes client by clicking a Notes URL.

VENDOR RESPONSE
IBM has released bulletin SPR# KSPR5X6VEA, "Lotus Notes URL Handler Argument Injection Vulnerability," to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.

CREDIT
Discovered by Jouko Pynnonen.