Vigil@nce: Lotus Domino, Cross Site Scripting of help
March 2010 by Vigil@nce
An attacker can invite the victim to display a malicious url, in
order to execute JavaScript code in the context of the Lotus
Domino server.
– Severity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 02/03/2010
IMPACTED PRODUCTS
– Lotus Domino
DESCRIPTION OF THE VULNERABILITY
The Domino help is reachable via the following url:
http://server/help/readme.nsf/
The HTML "base" element indicates the path which is common to all
relative urls of the page. For example:
<base target="http://server/common">
When the url contains the "BaseTarget=example" parameter, Domino
generates an HTML code containing the indicated target:
<base target="example">
... script ... document._domino_target = "example";
However, the help page does not filter the value of BaseTarget
before including it in the HTML code.
An attacker can therefore invite the victim to display a malicious
url, in order to execute JavaScript code in the context of the
Lotus Domino server.
This bulletin may be a duplicate of VIGILANCE-VUL-5199
(https://vigilance.fr/tree/1/5199), but this is not confirmed.
CHARACTERISTICS
– Identifiers: BID-38481, CYBSEC Advisory#2010-030, CYBSEC
Advisory#2010-0301, VIGILANCE-VUL-9486
– Url: http://vigilance.fr/vulnerability/Lotus-Domino-Cross-Site-Scripting-of-help-9486