Lotus moves to fix Domino flaw

Lotus has given the highest priority to fixing a flaw with its Domino webserver, and has said it hopes to have a fix ready by 13 January.

The problem leaves the webserver vulnerable to attack by Netscape 4.x users who can gain access to files located on the system drive if the user knows the path and file name.

The problem was one of two reported to the moderated security mailing list bugtraq late on Monday, prompting some consultants, such as MIS Corporate Defence Solutions (MIS), to inform clients that they may have no secure alternative but to close down their servers until a workaround was published.

A spokeswoman for Lotus said it was aware of the webserver issue and hoped to have a patch ready by 13 January. She added that a full statement, including a workaround for the problem, has been posted on the Notes/Domino Gold release Forum at the notes.net website.

The other problem referred to a claim that any authorised user of the Domino mail system could gain unauthorised access to any mailbox in the system by modifying the traffic between their client and Domino server or by modifying the client software itself.

However, other security professionals have since informed bugtraq that they have been unable to reproduce the email issue and it seems that this claim has little merit.

Experts said they weren't surprised that the webserver problem had been discovered and predicted that more would come to light as security professionals switched their focus from Microsoft products to those of other vendors.

Paul Rogers, a network security analyst at MIS, said: "It was only a matter of time before a serious vulnerability was discovered in Lotus Domino, or similar products, as security professionals start to put them under the same degree of scrutiny they do products from Microsoft."