Lotus patches hole in Domino 4.5 security
By Matt Kramer
|
Lotus Development Corp. has released a patch to its Domino 4.5 servers to fix a security hole that lets World Wide Web browser users impersonate legitimate Notes users. The security hole, described in a security advisory issued by Internet service provider LOpht Heavy Industries, concerns Web browser users accessing a Domino server running on NT or Unix versions running on Solaris or AIX platforms. The patch also is aimed at installations running Notes Release 4.12 and Domino Release 1.5. According to the 10PHT security advisory, some Web browser users might be able to access an edit form for a Domino document and enter data under the identity of another user. For NT installations, an incremental installer, Domino 4.5a, is available on the Web at http://beta.notes.net. For Unix servers, replacement files (http and strings.res) are available from beta.notes.net. Lotus will also be shipping replacement CD kits. Administrators at sites running Domino servers that are accessed only by Web browsers and are not replicated to other servers that provide access to Notes clients can set the Access Control List on the server's name and address book to No Access. |