IBM Lotus Notes 'names.nsf' Open Redirection Vulnerability
Category IBM/Lotus
From SecurityFocus: IBM Lotus Notes 'names.nsf' Open Redirection Vulnerability
Bugtraq ID: 38852 Class: Input Validation Error CVE: Remote: Yes Local: No Published: Mar 19 2010 12:00AM Updated: Mar 19 2010 12:00AM Credit: Yaniv Miron aka "Lament" Vulnerable: IBM Lotus Notes 6.5.6
IBM Lotus Notes 6.5.5
IBM Lotus Notes 6.5.4
IBM Lotus Notes 6.5.3
IBM Lotus Notes 6.5.2
IBM Lotus Notes 6.5.1
IBM Lotus Notes 6.5
IBM Lotus Notes 6.0.5
IBM Lotus Notes 6.0.4
IBM Lotus Notes 6.0.3
IBM Lotus Notes 6.0.2
IBM Lotus Notes 6.0.1
IBM Lotus Notes 6.0
IBM Lotus Notes 6.5.6 FP2
IBM Lotus Notes 6.5.5 FP3
IBM Lotus Notes 6.5.5 FP2
Not Vulnerable:
IBM Lotus Notes is prone to an open-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
Lotus Notes 6.x is vulnerable; other versions may also be affected.
An attacker can exploit this issue by enticing an unsuspecting victim into following a malicious URI.
The following example POST data is available:
POST /names.nsf?Login HTTP/1.1
Connection: Keep-Alive
%25%25ModDate=xxxxxxxxxxxxxxxx&Username=yyyy+zzzz&Password=aaaaaa&RedirectTo=http://www.example.com&SaveOptions=0&...
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
References:
From SecurityFocus: IBM Lotus Notes 'names.nsf' Open Redirection Vulnerability
Bugtraq ID: 38852 Class: Input Validation Error CVE: Remote: Yes Local: No Published: Mar 19 2010 12:00AM Updated: Mar 19 2010 12:00AM Credit: Yaniv Miron aka "Lament" Vulnerable: IBM Lotus Notes 6.5.6
IBM Lotus Notes 6.5.5
IBM Lotus Notes 6.5.4
IBM Lotus Notes 6.5.3
IBM Lotus Notes 6.5.2
IBM Lotus Notes 6.5.1
IBM Lotus Notes 6.5
IBM Lotus Notes 6.0.5
IBM Lotus Notes 6.0.4
IBM Lotus Notes 6.0.3
IBM Lotus Notes 6.0.2
IBM Lotus Notes 6.0.1
IBM Lotus Notes 6.0
IBM Lotus Notes 6.5.6 FP2
IBM Lotus Notes 6.5.5 FP3
IBM Lotus Notes 6.5.5 FP2
Not Vulnerable:
IBM Lotus Notes is prone to an open-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
Lotus Notes 6.x is vulnerable; other versions may also be affected.
An attacker can exploit this issue by enticing an unsuspecting victim into following a malicious URI.
The following example POST data is available:
POST /names.nsf?Login HTTP/1.1
Connection: Keep-Alive
%25%25ModDate=xxxxxxxxxxxxxxxx&Username=yyyy+zzzz&Password=aaaaaa&RedirectTo=http://www.example.com&SaveOptions=0&...
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
References:
- IBM Lotus Notes Homepage (IBM)
- IBM Lotus 6.x HTTP Response Splitting Vulnerability (lament@ilhack.org)
| Permalink |
