TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | IBM Lotus Notes is prone to an HTML-injection vulnerability. |
| PLATFORM: | IBM Lotus Notes 8.5 |
| ABSTRACT: | The application fails to properly sanitize user-supplied input before using it in dynamically generated content. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-235.shtml |
| OTHER LINKS: |
Security Focus http://www.securityfocus.com/bid/36305/info IBM Website http://www-01.ibm.com/support/docview.wss?uid=swg21403834 |
| IMPACT ASSESSMENT: | This risk is medium. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious RSS feed. |
Discussion: The product provides some widgets which can be added and enabled by the user. One of those widgets provide a simple RSS reader. This reader downloads the RSS file, extracts the items and saves them locally as HTML files. The interpretation and display of the RSS items is handled by the Internet Explorer regarding the applied security zone. The RSS items are handled like web documents which introduces the possibility of running script code or to embed multimedia objects (e.g. Flash or movies). Because locally saved files run in the Local Zone of the Internet Explorer some privilege escalation is possible. Solution: IBM has been informed immediately. They are able to address this vulnerability with a hotfix.
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov