Lotus Domino Web Server Lets Remote Users Cause Arbitrary Javascript to be Executed by Another User's Browser
|
|
SecurityTracker Alert ID: 1001911 |
|
SecurityTracker URL: http://securitytracker.com/id/1001911
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 2 2001
|
Impact:
Execution of arbitrary code via network
|
Exploit Included: Yes
|
Version(s): 5.0.6
|
Description:
A cross-site scripting vulnerability has been reported in the Lotus Domino web server that allows remote users create specially crafted URLs that will cause Javascript to be executed by other users.
Domino is vulnerable to a URL cross-site scripting attack.
The following requests for non-existent files will cause the server to return the specified JavaScript code in the 'File Not Found' reply sent back to the requesting user.
http://[targethost]/home.nsf/<img%20src=javascript:alert(document.domain)>
The Javascript code will then be executed by the requesting user within the server's domain.
|
Impact:
A remote user can create a web page or send an HTML-based e-mail message containing a specific URL that, when clicked on by the target user or when automatically fetched via Javascript code, will cause code in the URL to be executed by the target user's browser. The code will appear to the browser to be code from the server.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.lotus.com/home.nsf/welcome/domino/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Caldera/SCO), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 02 Jul 2001 20:38:06 +0900
Subject: Lotus Domino Server Cross-Site Scripting Vulnerability
|
Lotus Domino Server Cross-Site Scripting Vulnerability
======================================================
Affected products:
=================
Lotus Domino Server 5.0.6
<http://www.lotus.com/home.nsf/welcome/domino/>
Vendor status:
=============
Notified:
18 Mar 2001 09:59:51 +0900 (105 days before), security@lotus.com
Response:
20 Mar 2001 13:36:29 -0500
> Dear Hiromitsu Tagaki,
> I would like to thank you for bringing this issue to our attention. Lotus
> takes all reports of this nature very seriously and we will investigate
> immediately.
> For future reference, may I ask that you contact us at
> security-alert@lotus.com?
...
> Senior Product Manager, Notes and Domino Security
> Lotus Development Corporation
Fix:
Unknown
Announcement:
Unknown
http://www.lotus.com/developers/itcentral.nsf/wSecurity?OpenView
Problem:
=======
Accessing the following URL, the JavaScript code will be executed
in the browser on the server's domain.
http://www.lotus.com/home.nsf/<img%20src=javascript:alert(document.domain)>
This page produces output like this:
=================================================
Error 404
HTTP Web Server: Couldn't find design note - ******
----------------------------------------------------------------------------
Lotus-Domino Release 5.0.6a
=================================================
******: The JavaScript code is executed here.
This vulnerability is quite similar to "IIS cross-site scripting
vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
<http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>
Impact:
======
For the detail about cross-site scripting, see the following pages.
<http://www.cert.org/advisories/CA-2000-02.html>
<http://www.microsoft.com/TechNet/security/crssite.asp>
Workaround:
==========
Customize error pages.
--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/
|
|
