SecurityTracker Alert ID: 1001911|
SecurityTracker URL: http://securitytracker.com/id/1001911
(Links to External Site)
Date: Jul 2 2001
Execution of arbitrary code via network|
Exploit Included: Yes |
Domino is vulnerable to a URL cross-site scripting attack.
No solution was available at the time of this entry.|
Vendor URL: www.lotus.com/home.nsf/welcome/domino/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Caldera/SCO), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Lotus Domino Server Cross-Site Scripting Vulnerability|
Lotus Domino Server Cross-Site Scripting Vulnerability
Lotus Domino Server 5.0.6
18 Mar 2001 09:59:51 +0900 (105 days before), firstname.lastname@example.org
20 Mar 2001 13:36:29 -0500
> Dear Hiromitsu Tagaki,
> I would like to thank you for bringing this issue to our attention. Lotus
> takes all reports of this nature very seriously and we will investigate
> For future reference, may I ask that you contact us at
> Senior Product Manager, Notes and Domino Security
> Lotus Development Corporation
in the browser on the server's domain.
This page produces output like this:
HTTP Web Server: Couldn't find design note - ******
Lotus-Domino Release 5.0.6a
This vulnerability is quite similar to "IIS cross-site scripting
vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
For the detail about cross-site scripting, see the following pages.
Customize error pages.
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan