Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                    ESB-2007.0801 -- [Win][UNIX/Linux]
       IBM Lotus Domino Web Server service is vulnerable to a stack
                           based buffer overflow
                              18 October 2007


        AusCERT Security Bulletin Summary

Product:              IBM Lotus Domino Web Server
Publisher:            UK Centre for the Protection of National Infrastructure (CPNI)
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-0067

Original Bulletin:    


Comment: This vulnerability has been tested on the Microsoft Windows version,
         however all platforms may be affected.

- --------------------------BEGIN INCLUDED TEXT--------------------

CSIRTUK advisories

3430 - IBM Lotus Domino Web Server vulnerability

ID: 3430
Date: 15 October 2007 23:43

Title: 3430 - IBM Lotus Domino Web Server vulnerability
Abstract: The IBM Lotus Domino Web Server service is vulnerable to a stack based buffer overflow which can be exploited remotely.
Vendors affected: IBM
Applications affected: Lotus Domino
Advisory type: Information
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Potential Damage: Remote unauthorised modification
Availability of fix: Available
Type of fix: Patch
Source: MWR InfoSecurity
Reliability of source: Trusted
Source URL: http://www.mwrinfosecurity.com/publications/mwri_ibm-lotus-domino-if-modified-since-stack-overflow_2007-10-15.pdf

The IBM Lotus Domino Web Server service is vulnerable to a stack based
buffer overflow which can be exploited remotely. Upon reporting this issue
to IBM it was discovered that this was a known issue which had been
resolved in a number of previous releases and Fix Packs. However, the
previously reported issue did not correctly assess the impact of the
vulnerability or provide a description that allowed the vulnerability of
a given system to be accurately assessed.

The vulnerability would enable an attacker to execute arbitrary code on a
system. In the majority of installations this would be with local SYSTEM

The code responsible for parsing a parameter within the HTTP header of
requests to the service does not adequately check user supplied input.
This results in the ability to overflow a stack buffer which in turn allows
arbitrary code to be executed.

Further information and mitigation advice is available at the following


We would like to thank MWR InfoSecurity for their continued relationship
with CPNI.

This advisory contains information released by the original author.  Some
of the information may have changed since it was released. If the issue
affects you, it may be prudent to retrieve the advisory from the site of
the original source to ensure that you receive the most current information
concerning that problem. Reference to any specific commercial product,
process, or service by trade name, trademark manufacturer, or otherwise,
does not constitute or imply its endorsement, recommendation, or favouring
by CPNI.

The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes. CPNI shall not
accept responsibility for any errors or omissions contained within this
advisory. In particular, they shall not be liable for any loss or damage
whatsoever, arising from or in connection with the usage of information
contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response Teams
(IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967