On July 6, 2005, Shalom Carmel posted a vulnerability alert to Bugtraq titled "Cross site scripting in Lotus Notes web mail."
The Bugtraq report can be found at the following address:
If a user clicks an HTML attachment in an email message using a Web browser, the HTML page is loaded without prompting the user to open or save the attachment.
In addition to the Bugtraq posting, this information has also been posted in other advisories, including the following:
FrSIRT advisory titled "IBM Lotus Notes HTML Attachments Script Execution Vulnerability", which can be found at the following address:
Security Tracker advisory titled "Lotus Notes HTML Attachment Processing Lets Remote Users Conduct Cross-Site Scripting Attacks", which can be found at the following address:
SecurityFocus advisory titled "IBM Lotus Notes Automatic Script Execution Vulnerability", which can be found at the following address:
Additional advisories may exist that discuss the same issue.
This issue affects users who access the standard Notes mail template(s) from a Web client. This does not affect users who access the standard Notes mail templates from the Notes client, nor does it affect users who use the Domino Web Access templates (INOTES5.NTF, INOTES60.NTF or INOTES6.NTF) to read their mail from a Web client.
IBM Lotus has strongly recommended the usage of Domino Web Access (iNotes) since its introduction in Domino 5.0.8 as our premier Web mail interface. The Domino Web Access mail template can be used by both Lotus Notes clients and Web clients and is a more secure and feature-rich option for accessing your Notes mail from the Web.
The Domino Web Access mail template does prompt the user to open or save when clicking on attachments, so upgrading the mail template is the best way to address this issue. Users should also exercise caution when opening attachments received via email to minimize risks.
To upgrade the mail template, users can individually replace the design of their mail file by using File -> Database -> Replace Design and selecting the Domino Web Access template. Or administrators can use the convert command to convert multiple users mail templates.
For example, an administrator can run convert on the mail file using the following command at the Domino server console:
load convert -r filename.nsf * iNotes6.ntf
You can also use a wildcard to convert all mail files by using the following syntax:
load convert -r mail\*.nsf * iNotes6.ntf
For complete details on using the Convert command, refer to the topic in Lotus Domino Administrator Help titled "Upgrading mail files using the mail conversion utility".
Technote# 1084758: Setting up users for iNotes Web Access
Technote# 1093493: How to Upgrade a Batch of Mail Files From Standard R5 Mail to iNotes Mail Using a Text File
Technote# 1158614: What iNotes Web Access Templates Ship with each Domino Server Release?
Redbooks: iNotes Web Access Deployment and Administration