IBM Lotus Notes sets insecure default permissions on the Notes directory. This vulnerability may allow a local attacker to gain unintended access to Lotus Notes program data.
IBM Lotus Notes installs numerous program files and program data in a special directory known as the Notes directory. According to IBM Technote #21246773:
By default, beginning with Notes 6.5.4 and affecting 6.5.5, 7.0 and 7.0.1, "Full Control" access (read/write/execute) to the Notes program and data directory is granted to the Windows group "Everyone".
A local attacker may be able to gain unintended access to Lotus Notes program data.
Upgrade to unaffected versions of Lotus Notes
Lotus Notes versions 6.5.6 and 7.0.2 are reportedly not affected by this issue.
This issue was reported by Carsten Eiram of Secunia Research.
This document was written by Jeff Gennari.
|Date First Published:||2006-10-20|
|Date Last Updated:||2006-10-20 15:38 UTC|