Vulnerability Development mailing list archives
Re: Notes Domino Server Platform for e-commerce?
From: core.lists.exploit-dev () CORE-SDI COM (Gerardo Richarte)
Date: Thu, 10 Feb 2000 12:51:44 -0300
"Baasner, Frank" wrote:
Hi there, some folks in my company would like to install an e-commerce web-server based on Lotus Domino 5.0. Does anybody have concerns about the vulnerability of Notes/Domino regarding this purpose?
Hi, while working for a client, Raul Wain here at Core SDI found something interesting in Lotus Domino Web Server, he found it digging in "Lotus Domino R5.0: A Developer's Handbook" so it's known to IBM: It's easy to insert HTML tags into a page a user can control (such as a webmail application running on top of a Domino Server), the same thing CERT's advisory CA-2000-02. Of course you can filter this manually, but you have to be careful. Simply, if you are reading this email in a webmail application mounted on a Domino Server, you'd had already seen a window popping up, I've done it like [<Script>javascript:window.open('','','')</Script>]. And I'm not sure, but it may be possible to insert functions to be executed on the server, with syntax like [@function] or @function inside a form, but, again, I'm not sure (just tried once without succeeding). Ok, if you need more information, ask me, or swain () core-sdi com, who originally found this (in the manual) richie A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com --- For a personal reply use gera () core-sdi com
Current thread:
- Re: Notes Domino Server Platform for e-commerce?, (continued)
- Re: Notes Domino Server Platform for e-commerce? Ryan R Permeh (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Crispin Cowan (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan PErmeh (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 10)
- its: recursion Pauli Ojanpera (Feb 09)
- Re: its: recursion Sean Burford (Feb 09)
- Hellvisory #0001! Lucifer Mirza (Feb 09)
- Re: its: recursion Blue Boar (Feb 09)
- Re: its: recursion Dmitry Alyabyev (Feb 10)
- Re: recursion Blake Frantz (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Gerardo Richarte (Feb 10)
- Re: fooling hubs [ARP Spoofing] Bobb Voigt (Feb 11)
- Re: fooling hubs [ARP Spoofing] David Basden (Feb 09)