Buffer Overflow in iNotes s_ViewName
February 19, 2003
Risk level: High
This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the Domino server.
Versions Affected: Domino R6
A buffer overflow exists in the iNotes component of the Domino application server. This buffer overflow occurs when a long value is set for the s_ViewName parameter. When the Domino server processes the request, it is copied into a buffer which can be overflowed, allowing an attacker to execute arbitrary code under the security context of the web server.
iNotes is a Lotus product which includes iNotes Web Access and iNotes Access for Microsoft Outlook. With iNotes Web Access, users can gain access using messaging, collaboration, and personal information management capabilities with a Web browser.
When using iNotes Web Access, HTTP requests such as the following are used to access the features of the Domino application:
Notice at the end of the URL there is a number of PresetFields, including s_ViewName, followed by a semi-colon and some values. By replacing the value Inbox with a long string the buffer overflow occurs.
To fix this problem, you should download and apply the latest MR/MU. These maintenance updates are available from the Lotus web site, http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument
This particular issue is fixed in R6.0.1 (currently available)