COMMAND

    Domino Server

SYSTEMS AFFECTED

    Lotus Domino Server 5.0.6

PROBLEM

    Hiromitsu Takagi  found following.   Accessing the  following URL,
    the  JavaScript  code  will  be  executed  in  the  browser on the
    server's domain.

        http://www.lotus.com/home.nsf/<img%20src=javascript:alert(document.domain)>

    This page produces output like this:

        =================================================
        Error 404
        HTTP Web Server: Couldn't find design note - ******
        
        ----------------------------------------------------------------------------
        Lotus-Domino Release 5.0.6a
        =================================================
        ******: The JavaScript code is executed here.

    This vulnerability is quite similar to "IIS cross-site scripting
    vulnerabilities (MS00-060)" reported by Microsoft.

SOLUTION

    This was reproduced and documented as SPR #JCHN4V2HUY.  Lotus  are
    currently researching a  fix and have  plans to address  in Domino
    R5.0.9.  When the fix is available, it will be documented at

        http://www.notes.net/r5fixlist.nsf