A local vulnerability in a Lotus Notes for Linux configuration file could allow a malicious user to manipulate the values of essential configuration parameters and gain access to files. When installing Lotus Notes for Linux, the default permissions for the "notesdata/notes.ini" configuration file are "666". This gives malicious local users the ability to open the file, change the values of configuration parameters and save them. The local copy of Notes would then run using these altered parameter values, which could cause Notes to operate improperly and possibly destroy or alter data. . . .
A local vulnerability in a Lotus Notes for Linux configuration file could allow a malicious user to manipulate the values of essential configuration parameters and gain access to files.

When installing Lotus Notes for Linux, the default permissions for the "notesdata/notes.ini" configuration file are "666". This gives malicious local users the ability to open the file, change the values of configuration parameters and save them. The local copy of Notes would then run using these altered parameter values, which could cause Notes to operate improperly and possibly destroy or alter data.

Administrators should set permissions on the configuration file so that unauthorized users can't write to the file.

This vulnerability exists in Lotus Notes 6.0.2, and it may exist in other versions. Lotus Notes version 6.x has exhibited other vulnerabilities in the past, including a buffer overflow when handling long .zip file names, a heap overflow with long HTTP status lines, and an error in the Java Virtual Machine.

The link for this article located at Techtarget.com is no longer available.