<<< Date Index >>>     <<< Thread Index >>>

Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS (Risk increased)



In-Reply-To: <20041018184817.32681.qmail@xxxxxxxxxxxxxxxxxxxxx>

We are aware that at least from R4 and later versions embedded HTML code 
enclosed in square brackets is send "as is" to browser, we tested this issue in 
R6 and R5 environments and it worked, it should work in all prior versions that 
support this feature.

Additional testing has being performed on this issue, please see our findings 
below:

1)An Agent that modify computed field values can transmit/inject the exploit to 
them.
2) <High Risk> We entered the exploit in an editable field, save the document 
and when we see the document in read mode, it worked!.

The latest test shows how critical can this problem be.  

The essence of the problem remains, sending a XSS attack by making Notes/Domino 
to "honor" the code enclosed in square brackets avoiding native HTML encoding.

Best Regards