Code can be injected into IBM's Lotus Domino

MWR InfoSecurity has published a security advisory explaining that the Web Access component used in IBM's Lotus Domino contains several security flaws that allow attackers to inject malicious code into the server, or to spy on data, using cross-site scripting. IBM has released updated versions of the software to close the holes.

Advertisement

When processing overlong values in the HTTP header for the parameter accept-language, a stack-based buffer overflow can occur. According to MWR InfoSecurity's security advisory, the buffer overflow then allows arbitrary code to be injected and executed, with system rights on most installations . IBM's security advisory states that attackers do not even need valid login data; they merely need to be able to reach the server.

The servlet engine and Web container do not correctly check user input, opening up the system to cross-site scripting attacks. Any JavaScript code injected runs with the rights of the Web Access domain. Attackers can then, among other things, exploit the flaw to sniff information, .

IBM has confirmed the flaws in Lotus Domino 7.0.3 and 8.0. Version 6 may also be affected. Updates have been released as versions 7.0.3 Fix Pack 1 (FP1) and 8.0.1 to close the holes. Administrators who provide their users with the Web access interface should install these updates immediately.

See also:

• IBM Lotus Domino "Accept-Language" Stack Overflow (PDF), MWR InfoSecurity's security advisory
• Lotus Domino Web server 'Accept-Language' stack overflow, IBM's security advisory
• Potential vulnerability in servlet engine/Web container in Lotus Domino Web servers, IBM's security advisory

(trk)