IBM Lotus Notes htmsr.dll HTML speed reader URL link buffer overflow
| lotus-htmsr-link-bo (24639) |  High Risk |
Description:
IBM Lotus Notes is vulnerable to multiple stack-based buffer overflows in HTML speed reader (htmsr.dll). By sending a malicious email containing an overly long http://, ftp:// or // URL or an overly long link to a local file, a remote attacker could overflow a buffer and execute arbitrary code on the system once the victim clicks the vulnerable link.
Note: This vulnerability also affects Verity KeyView SDK.
*CVSS:
| Base Score: | 5.6 |
| Access Vector: | Remote |
| Access Complexity: | High |
| Authentication: | Not Required |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | Partial |
| Temporal Score: | 4.1 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of IBM Lotus Notes (6.5.5 or later) or (7.0.1 or later), available from the IBM Software Support Web site. See References.
For Verity KeyView SDK:
Upgrade to the latest version of KeyView SDK (9.2.0 or later), available from the Verity Web site. See Referneces.
References:
- IBM Software Support Web site: Lotus Support.
- Lotus Support Services Technote 1229918: Potential Buffer Overflow and Directory Traversal Vulnerabilities in Lotus Notes File Viewers.
- Verity Web site: Verity Products - Keyview.
- BID-16576: IBM Lotus Notes File Attachment Handling Multiple Remote Vulnerabilities
- CVE-2005-2618: Multiple stack-based buffer overflows in Autonomy (formerly Verity) KeyView SDK before 9.2.0, as used in Lotus Notes 6.5.4 and 7.0, allow remote attackers to execute arbitrary code via (1) a UUE file containing an encoded file with a long filename handled by uudrdr.dll, (2) a compressed ZIP file with a long filename handled by kvarcve.dll, (3) a TAR archive with a long filename that is extracted to a directory with a long path handled by the TAR reader (tarrdr.dll), (4) an email that contains a long HTTP, FTP, or // link handled by the HTML speed reader (htmsr.dll) or (5) an email containing a crafted long link handled by the HTML speed reader (htmsr.dll).
- OSVDB ID: 23064: Verity KeyView Viewer SDK kvarcve.dll Compressed File Pathname Generation Overflow
- OSVDB ID: 23065: Verity KeyView Viewer SDK uudrdr.dll UUE Filename Overflow
- OSVDB ID: 23066: Verity KeyView Viewer SDK kvarcve.dll Compressed File Preview Traversal Arbitrary File Deletion
- OSVDB ID: 23067: Verity KeyView Viewer SDK tarrdr.dll TAR Extraction Overflow
- OSVDB ID: 23068: Verity KeyView Viewer SDK htmsr.dll Link Processing Overflow
- SA16100: Verity KeyView SDK Multiple Vulnerabilities
- SA16280: IBM Lotus Notes Multiple Vulnerabilities
- SECTRACK ID: 1015657: IBM Lotus Domino/Notes Archive Processing Buffer Overflow and Directory Traversal Bugs Let Remote Users Execute Arbitrary Code and Delete Files
- US-CERT VU#884076: IBM Lotus Notes ZIP file handling buffer overflow
- VUPEN/ADV-2006-0500: IBM Lotus Notes Buffer Overflow and Directory Traversal Vulnerabilities
- VUPEN/ADV-2006-0501: Verity KeyView Archive Handling Multiple Buffer Overflow Vulnerabilities
Platforms Affected:
- Autonomy KeyView Export SDK
- Autonomy KeyView Filter SDK
- Autonomy KeyView Viewer SDK
- IBM Lotus Notes 6.0
- IBM Lotus Notes 6.0.1
- IBM Lotus Notes 6.0.1.1
- IBM Lotus Notes 6.0.1.2
- IBM Lotus Notes 6.0.1.3
- IBM Lotus Notes 6.0.2.1
- IBM Lotus Notes 6.0.2.2
- IBM Lotus Notes 6.0.3
- IBM Lotus Notes 6.0.4
- IBM Lotus Notes 6.0.5
- IBM Lotus Notes 6.5
- IBM Lotus Notes 6.5.1
- IBM Lotus Notes 6.5.2
- IBM Lotus Notes 6.5.2.1
- IBM Lotus Notes 6.5.3
- IBM Lotus Notes 6.5.3.1
- IBM Lotus Notes 7.0
Reported:
Feb 10, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.