Lotus Notes Visible Views Disclosure Vulnerability

Lotus Domino is an application server developed by IBM. One of it's features is that it allows for remote user interaction with a Lotus Notes database via a web-based interface.

It may be possible for a remote attacker to access possibly sensitive information about the database (visible views) due to the existence of a default Navigator.

It is suggested that URL redirection based on pattern matching be implemented to prevent unauthorized access to this Navigator. This may not be sufficient as it is possible to manipulate an HTTP request to evade some patterns bieng matched.


 

Privacy Statement
Copyright 2010, SecurityFocus