A boundary condition condition exists in the General_ServerName property which by passing an overly long string, and then making a call to the InstallBrowserHelperDll() the data is then copied into a fixed length buffer, thereby overwriting the SEH.

IBM has released a patch to address this issue, please see the references section for more information. Additionally, it is possible to correct the flaw by implementing the following workaround(s): set the killbit for the affected control.

Unknown or Incomplete

• Security Tracker: 1019138
• CVE ID: 2007-4474 (see also: NVD)
• Bugtraq ID: 26972
• Secunia Advisory ID: 28184
• ISS X-Force ID: 39175
• Metasploit ID: 40954
• Milw0rm: 4820
• Exploit Database: 4820
• CERT VU: 963889
• VUPEN Advisory: ADV-2007-4296
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-12/0498.html
• Vendor Specific Advisory URL: http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21279071
• Generic Exploit URL: http://www.saintcorporation.com/cgi-bin/exploit_info/lotus_domino_web_access_dwa7w

• Elazar Broad - elazarhushmail.com - iDefense's Vulnerability Contributor Program
• Will Dorman -