Juan C Calderon reported an issue where it is possible for the @SetHTTPHeader function to be misused to inject content into the header.
The @SetHTTPHeader function is only available to application developers. This vulnerability requires that the attacker have access to install a rogue application on the Lotus Domino server in order to execute this code. The impact of the vulnerability, if exploited, is HTTP response splitting or browser/proxy cache poisoning.
This issue was reported to Quality Engineering and has been addressed in Domino 6.5.4 and 6.0.5. Customers should upgrade to address this potential vulnerability.
Excerpt from the Lotus Notes and Domino Release 6.5.4 / 6.0.5 MR fix list (available at http://www.ibm.com/developerworks/lotus):
- SPR# KSPR63RRBF - Fixed a potential security issue.
CERT advisories can be found at the following address: