By Mel Duvall
Lotus Development Corp. took steps Jan. 21 to mitigate damage caused by news that its Domino Web server is vulnerable to hacker attacks.
The company posted directions on its World Wide Web site on how to plug a security hole that could give unauthorized users unrestricted access to default Domino databases. The Boston-based L0pht hacker group discovered the flaw.
The flaw is not so much a bug in the software as a glitch in the way Domino servers may be configured by Webmasters.
Paul Davis, a spokesman for Lotus (www.lotus.com), said the company is taking immediate steps to alert Domino users of the potential flaw and is advising them how to avoid the problem.
"We are also looking at what we can do to improve the default of the ACL [Access Control Lists]," Davis said. "We intend to have those improvements included in future shipping versions of Domino."
According to L0pht, the problem exists because the ACL default is set to give every user read and write access to the database, and there is no way to automatically reset the ACL to grant read-only access for a large number of databases at a single time.
The administrator must check each default manually, making it highly likely that a number of databases may be at risk.
News of the flaw came just days before Lotus' annual product showcase, Lotusphere, in Orlando, Fla.