[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS (Risk increased)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS (Risk increased)
From: Juan C Calderon <juan.calderon@xxxxxx>
Date: 21 Oct 2004 18:49:52 -0000

In-Reply-To: <20041018184817.32681.qmail@xxxxxxxxxxxxxxxxxxxxx>

We are aware that at least from R4 and later versions embedded HTML code 
enclosed in square brackets is send "as is" to browser, we tested this issue in 
R6 and R5 environments and it worked, it should work in all prior versions that 
support this feature.

Additional testing has being performed on this issue, please see our findings 
below:

1)An Agent that modify computed field values can transmit/inject the exploit to 
them.
2) <High Risk> We entered the exploit in an editable field, save the document 
and when we see the document in read mode, it worked!.

The latest test shows how critical can this problem be.  

The essence of the problem remains, sending a XSS attack by making Notes/Domino 
to "honor" the code enclosed in square brackets avoiding native HTML encoding.

Best Regards

Prev by Date: MDKSA-2004:110 - Updated gaim packages fix vulnerabilities
Next by Date: HTTP Response Splitting in Serendipity 0.7-beta4
Previous by thread: MDKSA-2004:110 - Updated gaim packages fix vulnerabilities
Next by thread: HTTP Response Splitting in Serendipity 0.7-beta4
Index(es):
- Date
- Thread