Lotus last week acknowledged they are working on a fix for a security problem in some Web applications based on its Domino server and created by Lotus business partners.
But at the same time, the vendor also said it's not sure whether the flaw lies in its Domino server software or the way the software has been set up.
Boston-based bugfinder L0pht Industries recently posted to its Web site reports of holes in some Domino-based Web applications.
The vulnerability affects Web sites created by Lotus business partners that provide training services and accept credit card numbers via the Web, L0pht said. But the glitch could occur with any electronic-commerce site, the group noted.
L0pht said the hole appears when users navigate to a portion of a Web site used to process registration and payment information. If users remove everything to the right of the database name in the URL - the databases typically end in .nsf - they can then access sensitive information by clicking on the link, the group said.
They can also search the exposed database for business and customer names, addresses, phone numbers and payment information.
Lotus said L0pht is correct in alerting customers to the potential security breach, "but the problem described by L0pht could just as easily be seen in any operating system or application, and is not something specific to Domino", the company said.
Officials at Lotus said the company provides many security options for Domino application developers, such as access control lists, that can be leveraged best by Certified Lotus Professionals - authorised Lotus developers who are certified to train third-party developers.
L0pht said the sites could be protected by using reader and author name fields to prevent unauthorised access to sensitive data.
And the group said each Domino site should bar anonymous access to at least these databases: names.nsf, catalog.nsf, log.nsf, domlog.nsf and domcfg.nsf.