Security researchers have disclosed several serious security bugs in IBM's Lotus Domino, one of the world's most widely used e-mail servers and used by over 80 million people. The most serious flaw could allow an Internet attacker to take over a server, with other flaws allowing cross-site scripting and denial of service.

The first flaw involves a buffer overflow that can be caused by submitting a large amout of data to certain time/date fields that can be updated from the Web, IBM said in an advisory. An attacker could exploit the flaw to crash the server, the vendor said. However, Mark Litchfield of Next Generation Security Software (NGS), who discovered the bug, said the attack could allow the execution of malicious code, prompting independent security vendors such as Secunia to update their assessments of the flaw.

NGS said it has so far found six specific ways of exploiting the bug, which affects Domino versions 6.0.5 and 6.5.4. A patch is available from IBM, and NGS plans to give users an opportunity to update their systems before releasing technical details on 12 July.

IBM has released patches for three other less-serious flaws, allowing attackers to crash the server or carry out cross-site scripting. The first and second of these, discovered by Symantec, involve a format string error when handling authentication with the NRPC Notes protocol and a buffer overflow caused by a boundary error in the Notes.ini file on a Notes client. The Notes.ini bug requires local access to the file.

Both flaws have been fixed. IBM's advisory on the authentication flaw is here, and on the Notes.ini flaw is here.

The final bug allows an attacker to use the @SetHTTPHeader function to conduct HTTP response splitting attacks or proxy cache poisoning. An HTTP response splitting attack is a recently developed technique for poisoning a Web cache in order to hijack pages containing sensitive user information, and proxy cache poisoning is another way of hijacking user information. Both are examples of cross site scripting attacks. IBM said the @SetHTTPHeader function is only available to application developers, and can only be exploited if the attacker has access to install applications on the Domino server. IBM's advisory and fix are available here.

Lotus was until recently the most widely used email server, but has ceded the position to Microsoft Exchange, according to most analysts. Some industry observers estimate Lotus had about 25 percent of the email market in 2004, although opinions vary. Exchange had 115 million seats installed worldwide in 2004, compared to Domino's 83 million, according to Radicati Group, which predicts Domino will continue to lose market share.