Re: Lotus Domino Server Cross-Site Scripting Vulnerability

From: Katherine_Spanbauerat_private
Date: Mon Jul 02 2001 - 11:40:14 PDT

  • Next message: Joost Pol: "Re: php breaks safe mode" 

    This was reproduced and documented as SPR #JCHN4V2HUY.  We are currently
researching a fix and have plans to address in Domino R5.0.9.  When the fix
is available, it will be documented at http://www.notes.net/r5fixlist.nsf.

Regards,
Katherine

------------------------------------------------------------------------------------

Katherine Spanbauer
Senior Product Manager, Notes and Domino Security
Lotus Development Corporation






                                                                                                                   
                    "TAKAGI,                                                                                       
                    Hiromitsu"           To:     bugtraqat_private                                         
                    <takagiat_private        cc:     security-alertat_private                                          
                    o.jp>                Subject:     Lotus Domino Server Cross-Site Scripting Vulnerability       
                                                                                                                   
                    07/02/2001                                                                                     
                    07:38 AM                                                                                       
                                                                                                                   
                                                                                                                   




Lotus Domino Server Cross-Site Scripting Vulnerability
======================================================

Affected products:
=================
  Lotus Domino Server 5.0.6
  <http://www.lotus.com/home.nsf/welcome/domino/>

Vendor status:
=============
  Notified:
    18 Mar 2001 09:59:51 +0900 (105 days before), securityat_private
  Response:
    20 Mar 2001 13:36:29 -0500
    > Dear Hiromitsu Tagaki,
    > I would like to thank you for bringing this issue to our attention.
Lotus
    > takes all reports of this nature very seriously and we will
investigate
    > immediately.
    > For future reference, may I ask that you contact us at
    > security-alertat_private?
    ...
    > Senior Product Manager, Notes and Domino Security
    > Lotus Development Corporation
  Fix:
    Unknown
  Announcement:
    Unknown
    http://www.lotus.com/developers/itcentral.nsf/wSecurity?OpenView

Problem:
=======
  Accessing the following URL, the JavaScript code will be executed
  in the browser on the server's domain.


http://www.lotus.com/home.nsf/)>

  This page produces output like this:
  =================================================
  Error 404
  HTTP Web Server: Couldn't find design note - ******


----------------------------------------------------------------------------

  Lotus-Domino Release 5.0.6a
  =================================================
  ******: The JavaScript code is executed here.

  This vulnerability is quite similar to "IIS cross-site scripting
  vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
  <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>

Impact:
======
  For the detail about cross-site scripting, see the following pages.
  <http://www.cert.org/advisories/CA-2000-02.html>
  <http://www.microsoft.com/TechNet/security/crssite.asp>

Workaround:
==========
  Customize error pages.


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/

    This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 19:21:35 PDT