Passwords are written to a file on the client computer in clear text, if the following notes.ini variables are set:
and the user changes his password.
This is a debbuging function, which got into the production code of the Notes client.
1st If the attacker
- has write access to the notes.ini of the user or
- he write him a notes-internal email with some appropriate code and the user executes it or
- the attacker writes or modifies a Notes application in a way that the notes.ini is changed and the user executes it
2. the user restarts the Notes client
3. he changes his password
4. the attacker has access to the created
file and the ID file of the user
he can authenticate as this user against
the Domino server.
- There is the possibility to distribute notes.ini variables by Policies and Desktop settings since Notes 6. This should be done now for reasons of precaution.
- IBM has announced that the KFM_ShowEntropy variable will be removed from the next versions 7.0.3 and 8.0 of Notes.
- Basically only the user himself should have access to his ID file.
- The ECL (Excecution Control List) should be set reasonable and the users should know, the the corrisponding warn dialog is there for a reason. To sign Notes applications with a special ID can help to reduce false alarms as far as possible.
Personal annotation: Forced periodic
changes of passwords are no more only risky, because the users tend to
easy passwords or to write them down...
security hole in Notes (by Volker Weber)
exposure in Lotus Notes
to 'Password exposure in Lotus Notes'