IBM Lotus Domino HTTP Response Splitting and Cross-Site Scripting Vulnerabilities
Last Update Date:
21 Aug 2012 13:26
Release Date:
21 Aug 2012
5466
Views
RISK: High Risk
TYPE: Servers - Other Servers
Multiple vulnerabilities have been identified in IBM Lotus Domino, which can be exploited by malicious people to conduct HTTP response splitting and cross-site scripting attacks.
- Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user. This allows arbitrary HTML and script code to be executed in a user's browser session in context of an affected site.
- Certain unspecified input related to help and webmail is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
NOTE: Vendor patch is currenly unavailable.
Impact
- Cross-Site Scripting
- Information Disclosure
- Data Manipulation
System / Technologies affected
- IBM Lotus Domino 8.x
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Update to version 8.5.4 when available (scheduled for release in February, 2013).
- Workaround:
Set the following variable on the Domino server NOTES.INI, available in release 7.0 and later:
DominoValidateFramesetSRC=1
Vulnerability Identifier
Source
Related Link
Share with