Malware Injection in IBM’s Lotus Domino Becomes Easy
According to a recent security advisory from MWR InfoSecurity, the Web Access component of IBM's Lotus Domino has several security holes that could allow attackers to inject malicious software into the affected server or to monitor data by employing cross-site scripting (XSS), as reported by Heise-Online on May 21, 2008.
The researchers at MWR InfoSecurity said that the flaw was detected in the code assigned to handle the Hyper-Text Transfer Protocol (HTTP) header information emanating from a surfer's browser. It was discovered that the "Accept Language" field originated from the HTTP header following a request to be processed in the server. This processed data was then replicated onto a stack buffer of a definite length using the "strcpy" utility.
» SPAMfighter News - 30-05-2008