SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   IBM iNotes and Domino Vendors:   IBM
(Vendor Confirms) Re: Lotus Domino Web Server Lets Remote Users Cause Arbitrary Javascript to be Executed by Another User's Browser
SecurityTracker Alert ID:  1001914
SecurityTracker URL:  http://securitytracker.com/id/1001914
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 3 2001
Impact:   Execution of arbitrary code via network
Vendor Confirmed:  Yes  
Version(s): 5.0.6
Description:   A cross-site scripting vulnerability has been reported in the Lotus Domino web server that allows remote users create specially crafted URLs that will cause Javascript to be executed by other users.

Domino is vulnerable to a URL cross-site scripting attack.

The following requests for non-existent files will cause the server to return the specified JavaScript code in the 'File Not Found' reply sent back to the requesting user.

http://[targethost]/home.nsf/<img%20src=javascript:alert(document.domain)>

The Javascript code will then be executed by the requesting user within the server's domain.

Impact:   A remote user can create a web page or send an HTML-based e-mail message containing a specific URL that, when clicked on by the target user or when automatically fetched via Javascript code, will cause code in the URL to be executed by the target user's browser. The code will appear to the browser to be code from the server.
Solution:   The vendor has confirmed the vulnerability and is currently researching a fix. When the fix is available, it will reportedly be documented at http://www.notes.net/r5fixlist.nsf.
Vendor URL:  www.lotus.com/home.nsf/welcome/domino/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Caldera/SCO), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 2 2001 Lotus Domino Web Server Lets Remote Users Cause Arbitrary Javascript to be Executed by Another User's Browser



 Source Message Contents

Subject:  Re: Lotus Domino Server Cross-Site Scripting Vulnerability


This was reproduced and documented as SPR #JCHN4V2HUY.  We are currently
researching a fix and have plans to address in Domino R5.0.9.  When the fix
is available, it will be documented at http://www.notes.net/r5fixlist.nsf.

Regards,
Katherine

------------------------------------------------------------------------------------

Katherine Spanbauer
Senior Product Manager, Notes and Domino Security
Lotus Development Corporation






                                                                                                                   
                    "TAKAGI,                                                                                       
                    Hiromitsu"           To:     bugtraq@securityfocus.com                                         
                    <takagi@etl.g        cc:     security-alert@lotus.com                                          
                    o.jp>                Subject:     Lotus Domino Server Cross-Site Scripting Vulnerability       
                                                                                                                   
                    07/02/2001                                                                                     
                    07:38 AM                                                                                       
                                                                                                                   
                                                                                                                   




Lotus Domino Server Cross-Site Scripting Vulnerability
======================================================

Affected products:
=================
  Lotus Domino Server 5.0.6
  <http://www.lotus.com/home.nsf/welcome/domino/>

Vendor status:
=============
  Notified:
    18 Mar 2001 09:59:51 +0900 (105 days before), security@lotus.com
  Response:
    20 Mar 2001 13:36:29 -0500
    > Dear Hiromitsu Tagaki,
    > I would like to thank you for bringing this issue to our attention.
Lotus
    > takes all reports of this nature very seriously and we will
investigate
    > immediately.
    > For future reference, may I ask that you contact us at
    > security-alert@lotus.com?
    ...
    > Senior Product Manager, Notes and Domino Security
    > Lotus Development Corporation
  Fix:
    Unknown
  Announcement:
    Unknown
    http://www.lotus.com/developers/itcentral.nsf/wSecurity?OpenView

Problem:
=======
  Accessing the following URL, the JavaScript code will be executed
  in the browser on the server's domain.


http://www.lotus.com/home.nsf/<img%20src=javascript:alert(document.domain)>

  This page produces output like this:
  =================================================
  Error 404
  HTTP Web Server: Couldn't find design note - ******


----------------------------------------------------------------------------

  Lotus-Domino Release 5.0.6a
  =================================================
  ******: The JavaScript code is executed here.

  This vulnerability is quite similar to "IIS cross-site scripting
  vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
  <http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>

Impact:
======
  For the detail about cross-site scripting, see the following pages.
  <http://www.cert.org/advisories/CA-2000-02.html>
  <http://www.microsoft.com/TechNet/security/crssite.asp>

Workaround:
==========
  Customize error pages.


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC