|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA15778] Lotus Domino HTML Attachment Script Insertion Vulnerability
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Thu Jul 14 2005 - 10:54:05 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Lotus Domino HTML Attachment Script Insertion Vulnerability
SECUNIA ADVISORY ID:
SA15778
VERIFY ADVISORY:
http://secunia.com/advisories/15778/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
From remote
SOFTWARE:
IBM Lotus Domino 6.x
http://secunia.com/product/720/
IBM Lotus Domino 5.x
http://secunia.com/product/207/
DESCRIPTION:
Shalom Carmel has reported a vulnerability in Lotus Domino, which can
be exploited by malicious people to conduct script insertion attacks.
The vulnerability is caused due to Domino failing to prompt users for
actions before displaying a HTML attachment in a browser. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site when the HTML
attachment is opened.
Successful exploitation requires that the user is tricked into
clicking on a HTML file attachment.
The vulnerability only affects users accessing the standard Notes
mail templates from a web client. It does not affect users accessing
the standard Notes mail templates from the Notes client nor users
using the Domino Web Access templates.
SOLUTION:
The vendor recommends using Domino Web Access.
PROVIDED AND/OR DISCOVERED BY:
Shalom Carmel
ORIGINAL ADVISORY:
IBM:
http://www-1.ibm.com/support/docview.wss?uid=swg21211783
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]