Notes/Domino Fix List
 |  |
| SPR # KSPR66USSU | Fixed in 6.5.4 FP1; 6.5.5 release | Security fix |
Product Area: Server Technical Area: Web Server Platform: Cross Platform
Lotus Customer Support APAR: LO07849
SPR# KSPR66USSU - Fixed a potential security vulnerability.
Technote Number: 1211961
Problem:
This enhancement request was reported to Quality Engineering and has been
addressed in Domino 6.5.4 Fix Pack 1 (6.5.4.1), Domino 6.5.5, and Domino 7.0.
Refer to the Upgrade Central site for details on upgrading Notes/Domino to
these releases.
To enable this setting, edit the notes.ini file and add the following line:
DominoValidateFramesetSRC=1
This parameter is static, so to enable it, you must edit the notes.ini manually
and restart the server for it to take effect.
With this setting enabled, when the Web Server OpenFrameSet command has a Src
argument, the argument's value is validated to ensure that it designates a
design note in the same database as the frameset being opened. This validation
prevents improper use of the Src argument to redirect browsers to arbitrary Web
sites, which is a possible security vulnerability. Note that the Src and Frame
arguments are used by the autoframe feature and are not intended for general
use. More >
Last Modified on 12/08/2013
Go back
|