Code can be injected into IBM's Lotus Domino
MWR InfoSecurity has published a security advisory explaining that the Web Access component used in IBM's Lotus Domino contains several security flaws that allow attackers to inject malicious code into the server, or to spy on data, using cross-site scripting. IBM has released updated versions of the software to close the holes.
When processing overlong values in the HTTP header for the parameter
accept-language, a stack-based buffer overflow can occur. According to MWR InfoSecurity's security advisory, the buffer overflow then allows arbitrary code to be injected and executed, with system rights on most installations . IBM's security advisory states that attackers do not even need valid login data; they merely need to be able to reach the server.
IBM has confirmed the flaws in Lotus Domino 7.0.3 and 8.0. Version 6 may also be affected. Updates have been released as versions 7.0.3 Fix Pack 1 (FP1) and 8.0.1 to close the holes. Administrators who provide their users with the Web access interface should install these updates immediately.
- IBM Lotus Domino "Accept-Language" Stack Overflow (PDF), MWR InfoSecurity's security advisory
- Lotus Domino Web server 'Accept-Language' stack overflow, IBM's security advisory
- Potential vulnerability in servlet engine/Web container in Lotus Domino Web servers, IBM's security advisory