SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   IBM iNotes and Domino Vendors:   IBM
Lotus Domino Web Server Lets Remote Users Cause Arbitrary Javascript to be Executed by Another User's Browser
SecurityTracker Alert ID:  1001911
SecurityTracker URL:  http://securitytracker.com/id/1001911
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 2 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 5.0.6
Description:   A cross-site scripting vulnerability has been reported in the Lotus Domino web server that allows remote users create specially crafted URLs that will cause Javascript to be executed by other users.

Domino is vulnerable to a URL cross-site scripting attack.

The following requests for non-existent files will cause the server to return the specified JavaScript code in the 'File Not Found' reply sent back to the requesting user.

http://[targethost]/home.nsf/<img%20src=javascript:alert(document.domain)>

The Javascript code will then be executed by the requesting user within the server's domain.

Impact:   A remote user can create a web page or send an HTML-based e-mail message containing a specific URL that, when clicked on by the target user or when automatically fetched via Javascript code, will cause code in the URL to be executed by the target user's browser. The code will appear to the browser to be code from the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.lotus.com/home.nsf/welcome/domino/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Caldera/SCO), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Confirms) Re: Lotus Domino Web Server Lets Remote Users Cause Arbitrary Javascript to be Executed by Another User's Browser
The vendor has confirmed the vulnerability and is currently working on a fix for v5.0.9.



 Source Message Contents

Subject:  Lotus Domino Server Cross-Site Scripting Vulnerability


Lotus Domino Server Cross-Site Scripting Vulnerability
======================================================

Affected products:
=================
  Lotus Domino Server 5.0.6
  <http://www.lotus.com/home.nsf/welcome/domino/>

Vendor status:
=============
  Notified: 
    18 Mar 2001 09:59:51 +0900 (105 days before), security@lotus.com
  Response:
    20 Mar 2001 13:36:29 -0500
    > Dear Hiromitsu Tagaki,
    > I would like to thank you for bringing this issue to our attention.  Lotus
    > takes all reports of this nature very seriously and we will investigate
    > immediately.
    > For future reference, may I ask that you contact us at
    > security-alert@lotus.com?
    ...
    > Senior Product Manager, Notes and Domino Security
    > Lotus Development Corporation
  Fix: 
    Unknown
  Announcement: 
    Unknown
    http://www.lotus.com/developers/itcentral.nsf/wSecurity?OpenView

Problem:
=======
  Accessing the following URL, the JavaScript code will be executed
  in the browser on the server's domain.

  http://www.lotus.com/home.nsf/<img%20src=javascript:alert(document.domain)>

  This page produces output like this:
  =================================================
  Error 404
  HTTP Web Server: Couldn't find design note - ******

  ----------------------------------------------------------------------------
  Lotus-Domino Release 5.0.6a
  =================================================
  ******: The JavaScript code is executed here.

  This vulnerability is quite similar to "IIS cross-site scripting
  vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
  <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>

Impact:
======
  For the detail about cross-site scripting, see the following pages.
  <http://www.cert.org/advisories/CA-2000-02.html>
  <http://www.microsoft.com/TechNet/security/crssite.asp>

Workaround:
==========
  Customize error pages.


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC