On October 18, 2004, Juan C Calderon posted a vulnerability alert to Bugtraq titled "IBM Lotus Notes/Domino fails to encode Square Brackets( [ ] )." Is this a vulnerability in the IBM Lotus Domino server?
In addition to the original report, this information has also been posted in other advisories, including:
- Secunia advisory titled "IBM Lotus Notes/Domino Cross Site Scripting Vulnerability", which can be found at the following address:
- SecurityTracker advisory titled "Lotus Notes/Domino Square Bracket Encoding Failure Lets Remote Users Conduct Cross-Site Scripting Attacks", which can be found at the following address:
- CERT advisory titled "VU#404382: Lotus Domino fails to encode "[" character", which can be found at the following address:
Additional advisories may exist that discuss the same issue.
This issue was reported to IBM Lotus Quality Engineering as SPR# KSPR63RPGW; it was thoroughly investigated and determined not to be a product defect in the Domino server. This issue does not occur for editable fields, nor is it a problem in any templates or databases shipped with the core Domino server product. It cannot be done with an arbitrary database.
This problem can be easily avoided in a well-designed application. It occurs only in computed fields where user-supplied input is not properly validated by the application before echoing it back to the user. It is important that application developers consider security as part of their design and appropriately filter user-supplied data before using or displaying it.