TUCoPS :: IBM(multi) :: bu-2053.htm

IBM Lotus 6.x names.nsf Cross Site Scripting Vulnerability
IBM Lotus 6.x names.nsf Cross Site Scripting Vulnerability
IBM Lotus 6.x names.nsf Cross Site Scripting Vulnerability


==========================================0D
Yaniv Miron aka "Lament" Advisory March 12, 2010=0D
IBM Lotus 6.x names.nsf Cross Site Scripting Vulnerability=0D
==========================================0D
=0D
======================0D
I. BACKGROUND=0D
======================0D
=0D
IBM Lotus Software delivers robust collaboration software that empowers=0D
people to connect, collaborate, and innovate while optimizing the way they=0D
work. With Lotus you can drive better business outcomes through=0D
smarter collaboration.=0D
=0D
http://www-01.ibm.com/software/lotus/=0D 
=0D
======================0D
II. DESCRIPTION=0D
======================0D
=0D
A malicious attacker may inject scripts into the IBM Lotus application.=0D
=0D
======================0D
III. ANALYSIS=0D
======================0D
=0D
Exploitation of this vulnerability results in the execution of arbitrary=0D
code using a malicious link.=0D
=0D
======================0D
IV. EXPLOIT=0D
======================0D
=0D
www.example.com/names.nsf/ src="javascript:alert(31337)">=0D 
=0D
======================0D
V. DISCLOSURE TIMELINE=0D
======================0D
=0D
Jan 2009 Vulnerability found=0D
Jan 2009 Vendor Notification=0D
March 2010 Public Disclosure=0D
=0D
======================0D
VI. CREDIT=0D
======================0D
=0D
Yaniv Miron aka "Lament".=0D
lament@ilhack.org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH