T 5.101 Hacking Lotus Notes

The data stored in the databases of the Notes server can also be made available for public access from the Internet. This imposes special requirements on the security of the Notes server used for this purpose. In this case, security loopholes could result in an adversary not only gaining unauthorised access to the Notes server itself but possibly also being able to penetrate the internal network which lies behind it.

Some of the problem areas and potential security loopholes which need to be considered, particularly where public access is allowed from the Internet to a Notes server, are listed below.

• The communication protocol of Lotus Notes is currently not published so that it is not possible to make any definitive statements about the security mechanisms. Even when appropriately configured, it must be assumed that there will be a residual risk.
• A Notes server is complex system. A server network increases the complexity still further. This complexity (also the security-relevant settings) can result in mistakes being made during configuration and hence in the creation of security loopholes.
• With its wide functionality, it is possible for integration of a Notes server into appropriate background systems to permit the passing on of security weaknesses from a Notes server to the background systems. In such a case generally it is sufficient to exploit a single weakness in a single function package.