This was reproduced and documented as SPR #JCHN4V2HUY. We are currently researching a fix and have plans to address in Domino R5.0.9. When the fix is available, it will be documented at http://www.notes.net/r5fixlist.nsf. Regards, Katherine ------------------------------------------------------------------------------------ Katherine Spanbauer Senior Product Manager, Notes and Domino Security Lotus Development Corporation "TAKAGI, Hiromitsu" To: bugtraqat_private <takagiat_private cc: security-alertat_private o.jp> Subject: Lotus Domino Server Cross-Site Scripting Vulnerability 07/02/2001 07:38 AM Lotus Domino Server Cross-Site Scripting Vulnerability ====================================================== Affected products: ================= Lotus Domino Server 5.0.6 <http://www.lotus.com/home.nsf/welcome/domino/> Vendor status: ============= Notified: 18 Mar 2001 09:59:51 +0900 (105 days before), securityat_private Response: 20 Mar 2001 13:36:29 -0500 > Dear Hiromitsu Tagaki, > I would like to thank you for bringing this issue to our attention. Lotus > takes all reports of this nature very seriously and we will investigate > immediately. > For future reference, may I ask that you contact us at > security-alertat_private? ... > Senior Product Manager, Notes and Domino Security > Lotus Development Corporation Fix: Unknown Announcement: Unknown http://www.lotus.com/developers/itcentral.nsf/wSecurity?OpenView Problem: ======= Accessing the following URL, the JavaScript code will be executed in the browser on the server's domain. http://www.lotus.com/home.nsf/)> This page produces output like this: ================================================= Error 404 HTTP Web Server: Couldn't find design note - ****** ---------------------------------------------------------------------------- Lotus-Domino Release 5.0.6a ================================================= ******: The JavaScript code is executed here. This vulnerability is quite similar to "IIS cross-site scripting vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000. <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp> Impact: ====== For the detail about cross-site scripting, see the following pages. <http://www.cert.org/advisories/CA-2000-02.html> <http://www.microsoft.com/TechNet/security/crssite.asp> Workaround: ========== Customize error pages. -- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://www.etl.go.jp/~takagi/
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 19:21:35 PDT