Re: Notes Domino Server Platform for e-commerce?

[core.lists.exploit-dev () CORE-SDI COM (Gerardo Richarte)]

"Baasner, Frank" wrote:

> Hi there,
>
> some folks in my company would like to install an e-commerce
> web-server based on Lotus Domino 5.0. Does anybody have concerns
> about the vulnerability of Notes/Domino regarding this purpose?

    Hi, while working for a client, Raul Wain here at Core SDI found
something interesting in
Lotus Domino Web Server, he found it digging in "Lotus Domino R5.0: A
Developer's Handbook"
so it's known to IBM:
    It's easy to insert HTML tags into a page a user can control (such
as a webmail application running
on top of a Domino Server), the same thing CERT's advisory CA-2000-02.
Of course you can filter
this manually, but you have to be careful.
    Simply, if you are reading this email in a webmail application
mounted on a Domino Server, you'd had already seen a window popping up,
I've done it like [<Script>javascript:window.open('','','')</Script>].
    And I'm not sure, but it may be possible to insert functions to be
executed on the server, with syntax like [@function] or @function inside
a form, but, again, I'm not sure (just tried once without succeeding).
    Ok, if you need more information, ask me, or swain () core-sdi com, who
originally found this (in the manual)

    richie

A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com

--- For a personal reply use gera () core-sdi com