IT Baseline Protection Manual T 5.101 Hacking Lotus Notes
T 5.101 Hacking Lotus Notes
The data stored in the databases of the Notes server can also be made available for public access from the Internet. This imposes special requirements on the security of the Notes server used for this purpose. In this case, security loopholes could result in an adversary not only gaining unauthorised access to the Notes server itself but possibly also being able to penetrate the internal network which lies behind it.
Some of the problem areas and potential security loopholes which need to be considered, particularly where public access is allowed from the Internet to a Notes server, are listed below.
The communication protocol of Lotus Notes is currently not published so
that it is not possible to make any definitive statements about the security
mechanisms. Even when appropriately configured, it must be assumed that there
will be a residual risk.
A Notes server is complex system. A server network increases the complexity
still further. This complexity (also the security-relevant settings) can result
in mistakes being made during configuration and hence in the creation of security
loopholes.
With its wide functionality, it is possible for integration of a Notes
server into appropriate background systems to permit the passing on of security
weaknesses from a Notes server to the background systems. In such a case generally
it is sufficient to exploit a single weakness in a single function package.