I would like to give more details about Lotus Notes.
The fact is you can do almost everything using Lotus Script. By the way, any VB
developer will find his way easily thru LS. If LS is not powerful enough, you
can embed java applets, AX, and much more...
That's the power of Notes.
Now, to secure this, it exists an ECL ( Execution Control List ) that specifies
who is allowed to run which kind of code ( LS, JAVASCRIPT, JAVA... ) on the
local workstation or server, and what this code can access, if it's allowed to
access file system and call system procedures, and so on...
Cheers,
Jean-Philippe ROBBE
|--------+----------------------->
| | nwbuckley@med|
| | iaone.net |
| | |
| | 09/28/2000 |
| | 08:17 PM |
| | |
|--------+----------------------->
>----------------------------------------------------------------------------|
| |
| To: [EMAIL PROTECTED]@internet, |
| [EMAIL PROTECTED]@internet, [EMAIL PROTECTED]@internet |
| cc: (bcc: Jean-Philippe ROBBE/barep/fr/socgen) |
| Subject: Re: OT - Lotus Notes |
>----------------------------------------------------------------------------|
This may be a little over simplified, but the general idea is here.
I'm going back a couple of years(pre R5), so unless the architecture has
changed, Notes runs the same risks as Outlook does today. Replace all the
VB vulnerabilities available today with Lotus Script and you would be amazed
what you can execute local client and server 8).
Since most clients will run local agents by checking the automagic agent
execution box the vulnerability potential is now limited to your ability to
write Lotus Script(not tough, just obscure).
I'm not sure how much you can do outside of the notes sandbox (It's been a
while since I messed with it), but the potential is there. Any of you notes
gurus/hackers know what system calls are available with Lotus Script 8)
--Neil
{JFDI}
----- Original Message -----
From: "Ivan Fox" <[EMAIL PROTECTED]>
To: "Firewall-Wizards@Nfr. Net" <[EMAIL PROTECTED]>;
"Firewalls@Lists. Gnac. Net" <[EMAIL PROTECTED]>; "Firewall-1"
<[EMAIL PROTECTED]>
Sent: Thursday, September 28, 2000 1:30 PM
Subject: OT - Lotus Notes
> I am seeking advice/comments on allowing supplier's Lotus Notes to have
> "mail run" with our Lotus Notes over the Internet. Being unfamiliar with
> Notes, is there any security issues that I need to concern with?
>
> Any comments/suggestions are welcome.
>
> Thanks,
>
> Ivan
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
*************************************************************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.
Tout message electronique est susceptible d'alteration.
La SOCIETE GENERALE et ses filiales declinent toute responsabilite au titre de ce
message s'il a ete altere, deforme ou falsifie.
********
This message and any attachments (the "message") are confidential and
intended solely for the addressees.
Any unauthorised use or dissemination is prohibited.
E-mails are susceptible to alteration.
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for
the message if altered, changed or falsified.
*************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
