Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) in computed field/text, allowing XSS (Risk increased)
In-Reply-To: <20041018184817.32681.qmail@xxxxxxxxxxxxxxxxxxxxx>
We are aware that at least from R4 and later versions embedded HTML code
enclosed in square brackets is send "as is" to browser, we tested this issue in
R6 and R5 environments and it worked, it should work in all prior versions that
support this feature.
Additional testing has being performed on this issue, please see our findings
below:
1)An Agent that modify computed field values can transmit/inject the exploit to
them.
2) <High Risk> We entered the exploit in an editable field, save the document
and when we see the document in read mode, it worked!.
The latest test shows how critical can this problem be.
The essence of the problem remains, sending a XSS attack by making Notes/Domino
to "honor" the code enclosed in square brackets avoiding native HTML encoding.
Best Regards