IBM Sametime: Fix for cross-site scripting vulnerability

Only a few days after discovering a cross-site scripting vulnerability in IBM Sametime, a fix is available in IBM Fix Central.

The security issue may affect stand-alone, embedded and web clients, but not mobile and basic clients and not Sametime version 8.0.1, 8.0.0 or 7.5.1.

More details and the appropriate fix can be found here: Fix available for potential security vulnerability in IBM Sametime.

Lockout ID has no effect when using security policies

If you are using Domino security policies – e.g. to define password quality or password change interval – and the “Lockout ID” functionality to prevent users from accessing the Lotus Notes environment, you should pay attention to the following technote:

-> Global policy setting ignores ‘Lockout ID’ setting in Person document

From what I have tested so far it doesn’t matter whether it’s a global / organizational or explicit policy. As soon as you assign a policy including a security setting document to a user, setting the “Check password” field to “Lockout ID” has no effect and the user can still access the Domino server.

I bet there are many Domino administrators out there who wrongly trust the “Lockout ID” feature :-)

IBM Connections: Remember your security settings

After upgrading to IBM Connections 3.0.1 (the same happened from 2.5 to 3.0) do not forget to check your module security settings if you adjusted them. The installer sets the default values (at least in some modules) so that your Connections environment may be accessible for everyone.

Verify your settings in the ICS under Enterprise Applications -> [Module] -> Security role to user / group mapping.

More information about the different roles -> Roles in Connections 3.0.1