| VID |
22181 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Lotus Domino Server is vulnerable to a Cross-site scripting vulnerability.
Lotus Domino Server is an application framework for web based collaborative software. It runs on multiple platforms including Windows and Unix. The version R5.0.6 of Lotus Domino server contains a Cross-site scripting vulnerability that allows a remote attacker to inject malicious script(Java Script, VBScript, etc.) or HTML into a web page using a "cross-site" scripting technique. If the web server receives a valid URL request such as "http://www.test.com/test.html" and this file doesn't exist, the server returns an error page such as:
<HTML> 404 page does not exist: test.html ... </HTML>.
It means that the string issued by user is included in the error page returned straight through to the client's browser. Using this flaw, a remote attacker can sends a request of a non-existed file with malicious script to the server as the following:
http://www.test.com/home.nsf/<img%20src=javascript:alert(document.domain)>
The server will generate an error page using its ordinary routines and the JavaScript code will be executed in the client's browser as the following:
Error 404
HTTP Web Server: Couldn't find design note - *************
<img src=javascript:alert(document.domain)>
Such Cross-site scripting vulnerability will be used to "sniff" sensitive data from within the web pages, including passwords, credit card numbers, and any arbitrary information the user inputs.
* References:
http://www.securityfocus.com/archive/1/194465
http://www.kb.cert.org/vuls/id/642239
http://www.cert.org/advisories/CA-2000-02.html
* Platforms Affected:
Lotus Domino R5.0.6 |
| Recommendation |
Upgrade to the Lotus Domino 5.0.9 or later version, or the latest version from the Lotus web site, http://www.ibm.com/developerworks/lotus/downloads.html
This vulnerability associated with Lotus's SPR# JCHN4V2HUY is fixed in 5.0.9 release. Now, the latest version, Lotus Notes/Domino 6.0.1 is released on the Feb. 13, 2003.
As a workaround, a web master should change the default error page to not include the file name passed in by user. The client should disable Script languages. |
| Related URL |
CVE-2001-1161 (CVE) |
| Related URL |
2962 (SecurityFocus) |
| Related URL |
6789 (ISS) |
|
