[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041021184952.26293.qmail@www.securityfocus.com>
Date: 21 Oct 2004 18:49:52 -0000
From: Juan C Calderon <juan.calderon@...com>
To: bugtraq@...urityfocus.com
Subject: Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ]
) in computed field/text, allowing XSS (Risk increased)
In-Reply-To: <20041018184817.32681.qmail@....securityfocus.com>
We are aware that at least from R4 and later versions embedded HTML code enclosed in square brackets is send "as is" to browser, we tested this issue in R6 and R5 environments and it worked, it should work in all prior versions that support this feature.
Additional testing has being performed on this issue, please see our findings below:
1)An Agent that modify computed field values can transmit/inject the exploit to them.
2) <High Risk> We entered the exploit in an editable field, save the document and when we see the document in read mode, it worked!.
The latest test shows how critical can this problem be.
The essence of the problem remains, sending a XSS attack by making Notes/Domino to "honor" the code enclosed in square brackets avoiding native HTML encoding.
Best Regards
Powered by blists - more mailing lists