6695865 2001-07-02 20:38 +0900 /74 rader/ TAKAGI, Hiromitsu <takagi@etl.go.jp>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-02 18:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: security-alert@lotus.com
Mottagare: Bugtraq (import) <17736>
Ärende: Lotus Domino Server Cross-Site Scripting Vulnerability
------------------------------------------------------------
From: "TAKAGI, Hiromitsu" <takagi@etl.go.jp>
To: bugtraq@securityfocus.com
Cc: security-alert@lotus.com
Message-ID: <20010702203751.1291.TAKAGI@etl.go.jp>
Lotus Domino Server Cross-Site Scripting Vulnerability
======================================================
Affected products:
=================
Lotus Domino Server 5.0.6
<http://www.lotus.com/home.nsf/welcome/domino/>
Vendor status:
=============
Notified:
18 Mar 2001 09:59:51 +0900 (105 days before), security@lotus.com
Response:
20 Mar 2001 13:36:29 -0500
> Dear Hiromitsu Tagaki,
> I would like to thank you for bringing this issue to our attention. Lotus
> takes all reports of this nature very seriously and we will investigate
> immediately.
> For future reference, may I ask that you contact us at
> security-alert@lotus.com?
...
> Senior Product Manager, Notes and Domino Security
> Lotus Development Corporation
Fix:
Unknown
Announcement:
Unknown
http://www.lotus.com/developers/itcentral.nsf/wSecurity?OpenView
Problem:
=======
Accessing the following URL, the JavaScript code will be executed
in the browser on the server's domain.
http://www.lotus.com/home.nsf/<img%20src=javascript:alert(document.domain)>
This page produces output like this:
=================================================
Error 404
HTTP Web Server: Couldn't find design note - ******
----------------------------------------------------------------------------
Lotus-Domino Release 5.0.6a
=================================================
******: The JavaScript code is executed here.
This vulnerability is quite similar to "IIS cross-site scripting
vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
<http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>
Impact:
======
For the detail about cross-site scripting, see the following pages.
<http://www.cert.org/advisories/CA-2000-02.html>
<http://www.microsoft.com/TechNet/security/crssite.asp>
Workaround:
==========
Customize error pages.
--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/
(6695865) /TAKAGI, Hiromitsu <takagi@etl.go.jp>/(Ombruten)
6697747 2001-07-02 14:40 -0400 /114 rader/ <Katherine_Spanbauer@lotus.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-03 04:25 av Brevbäraren
Extern mottagare: takagi@etl.go.jp
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17758>
Ärende: Re: Lotus Domino Server Cross-Site Scripting Vulnerability
------------------------------------------------------------
From: Katherine_Spanbauer@lotus.com
To: takagi@etl.go.jp
Cc: bugtraq@securityfocus.com
Message-ID: <OFCD85B6CE.D39A4A34-ON85256A7D.0055F019@lotus.com>
This was reproduced and documented as SPR #JCHN4V2HUY. We are
currently researching a fix and have plans to address in Domino
R5.0.9. When the fix is available, it will be documented at
http://www.notes.net/r5fixlist.nsf.
Regards,
Katherine
------------------------------------------------------------------------------------
Katherine Spanbauer
Senior Product Manager, Notes and Domino Security
Lotus Development Corporation
"TAKAGI,
Hiromitsu" To: bugtraq@securityfocus.com
<takagi@etl.g cc: security-alert@lotus.com
o.jp> Subject: Lotus Domino Server Cross-Site Scripting Vulnerability
07/02/2001
07:38 AM
Lotus Domino Server Cross-Site Scripting Vulnerability
======================================================
Affected products:
=================
Lotus Domino Server 5.0.6
<http://www.lotus.com/home.nsf/welcome/domino/>
Vendor status:
=============
Notified:
18 Mar 2001 09:59:51 +0900 (105 days before), security@lotus.com
Response:
20 Mar 2001 13:36:29 -0500
> Dear Hiromitsu Tagaki,
> I would like to thank you for bringing this issue to our attention.
Lotus
> takes all reports of this nature very seriously and we will
investigate
> immediately.
> For future reference, may I ask that you contact us at
> security-alert@lotus.com?
...
> Senior Product Manager, Notes and Domino Security
> Lotus Development Corporation
Fix:
Unknown
Announcement:
Unknown
http://www.lotus.com/developers/itcentral.nsf/wSecurity?OpenView
Problem:
=======
Accessing the following URL, the JavaScript code will be executed
in the browser on the server's domain.
http://www.lotus.com/home.nsf/<img%20src=javascript:alert(document.domain)>
This page produces output like this:
=================================================
Error 404
HTTP Web Server: Couldn't find design note - ******
----------------------------------------------------------------------------
Lotus-Domino Release 5.0.6a
=================================================
******: The JavaScript code is executed here.
This vulnerability is quite similar to "IIS cross-site scripting
vulnerabilities (MS00-060)" reported by Microsoft on August 25, 2000.
<http://www.microsoft.com/technet/security/bulletin/ms00-060.asp>
Impact:
======
For the detail about cross-site scripting, see the following pages.
<http://www.cert.org/advisories/CA-2000-02.html>
<http://www.microsoft.com/TechNet/security/crssite.asp>
Workaround:
==========
Customize error pages.
--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/
(6697747) / <Katherine_Spanbauer@lotus.com>/(Ombruten)