In association with heise online

21 May 2008, 14:38

Code can be injected into IBM's Lotus Domino

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

MWR InfoSecurity has published a security advisory explaining that the Web Access component used in IBM's Lotus Domino contains several security flaws that allow attackers to inject malicious code into the server, or to spy on data, using cross-site scripting. IBM has released updated versions of the software to close the holes.

When processing overlong values in the HTTP header for the parameter accept-language, a stack-based buffer overflow can occur. According to MWR InfoSecurity's security advisory, the buffer overflow then allows arbitrary code to be injected and executed, with system rights on most installations . IBM's security advisory states that attackers do not even need valid login data; they merely need to be able to reach the server.

The servlet engine and Web container do not correctly check user input, opening up the system to cross-site scripting attacks. Any JavaScript code injected runs with the rights of the Web Access domain. Attackers can then, among other things, exploit the flaw to sniff information, .

IBM has confirmed the flaws in Lotus Domino 7.0.3 and 8.0. Version 6 may also be affected. Updates have been released as versions 7.0.3 Fix Pack 1 (FP1) and 8.0.1 to close the holes. Administrators who provide their users with the Web access interface should install these updates immediately.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit