问题描述:

It seems possible to inject javascript in a get request, when refering to the /xsp/.ibmmodres/ XSP/Domino resources.

Normally, when you try this at .nsf/ resources, you get a correct default or custom errorpage without XSS possibilities. Special characters are substituted.

Example:

- http://[server]/[path]/[dbname].nsf/%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Result:

HTTP Web Server: Cannot find design element

But refering to the /xsp/.ibmmodres/ resources, it yields XSS possibilities.

Example:

  • http://[server]/[path]/[dbname].nsf/xsp/.ibmmodres/%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Result:

  • I get a 404 errorpage "Cannot load unregistered resource /"

  • And it executes CSJS and shows for example DomAuthSessID !!

How is this possible?

Is there a way to avoid this?

Please help!

网友答案:

Here is an article about how to avoid this:

http://www.wissel.net/blog/d6plinks/SHWL-8XS3MY

网友答案:

Check your Domino version. It should be fixed in 8.5.3. FP2 (not fully sure about that) (but definitely 9.0 Beta). Other than that follow my instructions and create some web rules:

Type of rule: HTTP response headers
Incoming URL pattern: */xsp/.ibmxspres/*
HTTP response codes: 404
Expires header: Don't add header
Custom header: Content-Type : text/plain (overwrite)

Type of rule: HTTP response headers
Incoming URL pattern: */xsp/.ibmmodres/*
HTTP response codes: 404
Expires header: Don't add header
Custom header: Content-Type : text/plain (overwrite)
相关阅读:
Top