Info

Disclosure

Jul 02, 2001

Discovery

Mar 18, 2001

Dates

Exploit

Jul 02, 2001

Solution

Oct 17, 2001

Description

Lotus Domino HTTP Service contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate that javascript has not been injected in the URL for a non-exiting script, and returns the URL in the error message. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Workaround, Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified, Third-party Verified
OSVDB: Web Related

Solution

Upgrade to version 5.0.9 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Create a custom error page for display.

Products

International Business Machines Corporation	Domino	5.0
		5.0.1
		5.0.2
		5.0.3
		5.0.4
		5.0.5
		5.0.6
		5.0.7
		5.0.8

References

CVE ID: 2001-1161 (see also: NVD)
Bugtraq ID: 2962
CERT VU: 642239
ISS X-Force ID: 6789
Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2001-07/0022.html
http://archives.neohapsis.com/archives/bugtraq/2001-07/0042.html
Mail List Post: http://seclists.org/bugtraq/2010/Mar/164
Vendor Specific Solution URL: http://www-1.ibm.com/support/docview.wss?rs=463&q1=1098216&uid=swg21098216&loc=en_US&cs=utf-8&lang=en+en

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/1887

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

International Business Machines Corporation

Domino

References

Credit