Lotus Domino iNotes javascript: Filter Bypass

2006-02-10T07:02:51
ID OSVDB:23079
Type osvdb
Reporter Jakob Balle(jb@secunia.com)
Modified 2006-02-10T07:02:51

Description

Vulnerability Description

Lotus Notes contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does properly validate JavaScript content that contains a ' ' character, bypassing the existing security filters. This could allow an attacker to create a specially crafted link that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 6.5.5, 7.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Lotus Notes contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does properly validate JavaScript content that contains a ' ' character, bypassing the existing security filters. This could allow an attacker to create a specially crafted link that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor Specific Advisory URL Security Tracker: 1015610 Secunia Advisory ID:16340 Related OSVDB ID: 23078 Related OSVDB ID: 23077 Other Advisory URL: http://secunia.com/secunia_research/2005-38/advisory/ Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0183.html ISS X-Force ID: 24613 FrSIRT Advisory: ADV-2006-0499 CVE-2006-0663 Bugtraq ID: 16577