Secunia

Some vulnerabilities have been discovered in IBM Lotus Domino Web Access, which can be exploited by malicious people to compromise a user's system.

1) Boundary errors in the Domino Web Access ActiveX control (inotes6.dll, inotes6w.dll, dwa7.dll, dwa7W.dll) can be exploited to cause stack-based buffer overflows by assigning an overly long string to the "General_ServerName" or "General_JunctionName" property and then calling the "InstallBrowserHelperDll()" method.

2) A boundary error in the Domino Web Access ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly-long string to the "Mail_MailDbPath" property and then calling the "Mail_SetDefaultMailClient()" method.

3) The Domino Web Access ActiveX control includes the insecure "InstallBrowserHelperDll()" method, which can be exploited to e.g. download and register a malicious ActiveX control on a vulnerable system.

Successful exploitation of the vulnerabilities allow execution of arbitrary code.

The vulnerability is reported in dwa7W.dll version 7.0.34.1, confirmed in dwa7W.dll version 7.0.34.0, and reportedly affects IBM Lotus Domino 6.x (inotes6.dll, inotes6w.dll) and 7.x (dwa7.dll, dwa7W.dll). Other versions may also be affected.

Solution
The "Mail_MailDbPath" property vulnerability is reportedly fixed in Lotus Domino Web Access version 6.5.6, 7.0.3, and 8.0.
Further details available in Customer Area

Provided and/or discovered by
Elazar Broad

Also independently discovered by:
* Will Dormann of CERT/CC

Changelog
Further details available in Customer Area

Original Advisory
IBM:
http://www-1.ibm.com/support/docview.wss?uid=swg21279071

Elazar Broad (via Full-Disclosure):
http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059233.html

US-CERT VU#963889:
http://www.kb.cert.org/vuls/id/963889

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available in Customer Area