lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041021184952.26293.qmail@www.securityfocus.com>
Date: 21 Oct 2004 18:49:52 -0000
From: Juan C Calderon <juan.calderon@...com>
To: bugtraq@...urityfocus.com
Subject: Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [  ]
    )    in computed field/text, allowing XSS (Risk increased)


In-Reply-To: <20041018184817.32681.qmail@....securityfocus.com>

We are aware that at least from R4 and later versions embedded HTML code enclosed in square brackets is send "as is" to browser, we tested this issue in R6 and R5 environments and it worked, it should work in all prior versions that support this feature.

Additional testing has being performed on this issue, please see our findings below:

1)An Agent that modify computed field values can transmit/inject the exploit to them.
2) <High Risk> We entered the exploit in an editable field, save the document and when we see the document in read mode, it worked!.

The latest test shows how critical can this problem be.  

The essence of the problem remains, sending a XSS attack by making Notes/Domino to "honor" the code enclosed in square brackets avoiding native HTML encoding.

Best Regards


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ