Validating Domino Frameset Src Arguments
The Domino autoframe feature uses the Src argument of the OpenFrameSet command; this argument is not intended for general use. An enhancement request was made to limit the use of the Src argument to the design notes in the same database as the frameset being opened.
This enhancement request was reported to Quality Engineering and has been addressed in Domino 6.5.4 Fix Pack 1 (220.127.116.11), Domino 6.5.5, and Domino 7.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino to these releases.
To enable this setting, edit the notes.ini file and add the following line:
This parameter is static, so to enable it, you must edit the notes.ini manually and restart the server for it to take effect.
With this setting enabled, when the Web Server OpenFrameSet command has a Src argument, the argument's value is validated to ensure that it designates a design note in the same database as the frameset being opened. This validation prevents improper use of the Src argument to redirect browsers to arbitrary Web sites, which is a possible security vulnerability. Note that the Src and Frame arguments are used by the autoframe feature and are not intended for general use.
More support for:
Lotus End of Support Products
Lotus Domino Server
Software version: 6.5, 6.5.4, 18.104.22.168
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Reference #: 1211961
Modified date: 10 February 2006