Vulnerability Note VU#959207
Lotus Notes Java VM leaks file existence through timing difference in ECLs
Lotus Notes JVM leaks information about the existence of a file.
A malicious Java applet run in the Lotus Notes web browser can determine if a local file exists. Notes' preferences must be set to browse the web using the Notes browser, with execution of Java applets enabled.
When a Java applet tries to access local files, Lotus Notes presents a dialog box to the user asking whether access should be allowed. It only presents this dialog after checking if the local file exists; if it does not exist, the dialog is not shown. Thus, if the applet can determine whether the dialog was shown, it will know whether the file exists.
By checking for the existence of certain files, an attacker can learn what software is installed and what programs have been executed recently on the client machine. However, the attacker cannot read or modify any files through this vulnerability.
Lotus plans to fix this issue in a future release of Notes.
Disable execution of Java applets in Notes preferences. For more details, see http://www-1.ibm.com/support/docview.wss?uid=swg21102440.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Lotus Software||Affected||03 May 2001||30 Mar 2006|
CVSS Metrics (Learn More)
Thanks to Hiromitsu Takagi for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
- CVE IDs: CVE-2000-1117
- Date Public: 28 Nov 2000
- Date First Published: 14 May 2001
- Date Last Updated: 30 Mar 2006
- Severity Metric: 0.06
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.