|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA11143] IBM Lotus Domino Server Quick Console Cross-Site Scripting
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Wed Mar 17 2004 - 04:30:29 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
IBM Lotus Domino Server Quick Console Cross-Site Scripting
SECUNIA ADVISORY ID:
SA11143
VERIFY ADVISORY:
http://secunia.com/advisories/11143/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
From remote
SOFTWARE:
Lotus Domino R6
DESCRIPTION:
Dr_insane has reported a vulnerability in IBM Lotus Domino, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
The vulnerability is caused due to missing input validation in the
"Quick Console" in the administrative web interface ("webadmin.nsf").
This can be exploited to execute arbitrary HTML and script code in an
administrative user's browser session in context of an affected site
by tricking the user into visiting a malicious website or click a
specially crafted link.
The vulnerability has been reported in version 6.5.1. Other versions
may also be affected.
Two other issues were also reported in the folder creation
functionality of the administrative web interface. An administrative
user can enumerate files on the system and create folders in
arbitrary location via directory traversals.
SOLUTION:
Filter malicious characters and character sequences in a proxy
server.
PROVIDED AND/OR DISCOVERED BY:
Dr_insane
ORIGINAL ADVISORY:
http://members.lycos.co.uk/r34ct/main/ibm_lotus_domino/lotus.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]