(July 2010) Fixes for potential security vulnerabilities in Lotus Notes file viewers
(July 2010) Fixes for potential security vulnerabilities in Lotus Notes file viewers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
InterfaceFLOR: Let's be clear
Link: http://www.interfaceflor.eu/letsbeclear
A new campaign from InterfaceFLOR about sustainability. This campaign consists of several parts, all about spreading the word about sustainability and debunking claims.It’s time to tell the truth about carpet tiles, green claims and sustainability. InterfaceFLOR have created everything you need to cut through the greenwash and help you to make the most sustainable product choices.

How to choose the most sustainable products and what to ask the manufacturers
The marketing world has woken up to sustainability and the result is a blizzard of claims for products from cars to carpets: ‘carbon neutral’, ‘recyclable’, ‘natural’, ‘cradle to cradle’, ‘fair-trade’, ‘organic’, ‘environment friendly’, etc.
But sustainability is too complex to be explained by a single product benefit or green label. This guide explains how to assess the sustainability of different products and the companies that make them.
Download Just the Facts
IBM WebSphere Application Server Administration Console Cross Site Scripting Vulnerability
Link: http://www.securityfocus.com/bid/39051/info
Bugtraq ID: 39051Class: Input Validation Error
CVE: CVE-2010-0768
Remote: Yes
Local: No
Published: Mar 30 2010 12:00AM
Updated: Jun 23 2010 08:38PM
Credit: IBM
Vulnerable:
IBM Websphere Application Server 7.0 3
IBM Websphere Application Server 7.0.8
IBM Websphere Application Server 6.1.2
IBM Websphere Application Server 6.1.9
IBM Websphere Application Server 6.1.8
IBM Websphere Application Server 6.1.7
IBM Websphere Application Server 6.1.6
IBM Websphere Application Server 6.1.5
IBM Websphere Application Server 6.1.4
IBM Websphere Application Server 6.1.3
IBM Websphere Application Server 6.1.25
IBM Websphere Application Server 6.1.23
IBM Websphere Application Server 6.1.22
IBM Websphere Application Server 6.1.21
IBM Websphere Application Server 6.1.20
IBM Websphere Application Server 6.1.2
IBM Websphere Application Server 6.1.19
IBM Websphere Application Server 6.1.18
IBM Websphere Application Server 6.1.17
IBM Websphere Application Server 6.1.15
IBM Websphere Application Server 6.1.14
IBM Websphere Application Server 6.1.13
IBM Websphere Application Server 6.1.12
IBM Websphere Application Server 6.1.11
IBM Websphere Application Server 6.1.10
IBM Websphere Application Server 6.1.1
IBM Websphere Application Server 6.1
IBM Websphere Application Server 6.0.2.9
IBM Websphere Application Server 6.0.2.7
IBM Websphere Application Server 6.0.2.5
IBM Websphere Application Server 6.0.2.39
IBM Websphere Application Server 6.0.2.35
IBM Websphere Application Server 6.0.2.33
IBM Websphere Application Server 6.0.2.31
IBM Websphere Application Server 6.0.2.3
IBM Websphere Application Server 6.0.2.29
IBM Websphere Application Server 6.0.2.27
IBM Websphere Application Server 6.0.2.25
IBM Websphere Application Server 6.0.2.24
IBM Websphere Application Server 6.0.2.23
IBM Websphere Application Server 6.0.2.22
IBM Websphere Application Server 6.0.2.21
IBM Websphere Application Server 6.0.2.17
IBM Websphere Application Server 6.0.2.15
IBM Websphere Application Server 6.0.2.13
IBM Websphere Application Server 6.0.2.11
IBM Websphere Application Server 6.0.2.1
IBM Websphere Application Server 6.0.2
IBM Websphere Application Server 6.0.1
IBM Websphere Application Server 6.0.7
IBM Websphere Application Server 6.0
IBM Websphere Application Server 7.0.0.7
IBM Websphere Application Server 7.0.0.5
IBM Websphere Application Server 7.0.0.1
IBM Websphere Application Server 7.0
IBM Websphere Application Server 6.1.0.29
IBM Websphere Application Server 6.1.0.27
IBM Websphere Application Server 6.0.2.19
IBM Websphere Application Server 6.0.2 Fix Pack 17
Not Vulnerable:
IBM Websphere Application Server 7.0.9
IBM Websphere Application Server 6.1.0.31
IBM Websphere Application Server 6.0.2.41
IBM WebSphere Application Server (WAS) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to WAS 7.0.0.9, 6.1.0.31, and 6.0.2.4 are vulnerable.
IBM WebSphere Application Server Administration Console Cross Site Scripting Vulnerability
Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI.
Solution:
The vendor has released updates. Please see the references for details.
References:
* IBM APAR PK97376 (IBM)
* IBM Websphere Homepage (IBM)
* WebSphere Application Server Administration Console Cross-Site Scripting (IBM)
IBM DB2 prior to 9.7 Fix Pack 2 Multiple Security Vulnerabilities
Bugtraq ID: 40446 Class: Unknown CVE: CVE-2010-0472 Remote: Yes Local: Yes Published: May 28 2010 12:00AM Updated: May 31 2010 03:50PM Credit: The vendor disclosed these issues. Vulnerable: IBM DB2 Universal Database 9.7.1 IBM DB2 Universal Database 9.7 Not Vulnerable: IBM DB2 Universal Database 9.7.2 IBM DB2 is prone to multiple vulnerabilities. These issues may allow attackers to carry out denial-of-service attacks, obtain sensitive information, and exploit an unspecified vulnerability with an unknown impact. These issues affect IBM DB2 9.2 prior to Fix Pack 2 (9.7.2). Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com. Some of these issues may not require exploit code. Solution: The vendor has released fixes. Please see the references for details. References: * IBM DB2 Homepage (IBM) * 1432298 Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, a (IBM)
xpages: Theme's and css media types
This weekend I was trying to embed blueprint in a xpages app.
All went fine, but I ran into 1 problem: How do you get your theme to use the following syntax?
<!--sample -->
<!-- Framework CSS -->
<link rel="stylesheet" href="../../blueprint/screen.css" type="text/css" media="screen, projection">
<link rel="stylesheet" href="../../blueprint/print.css" type="text/css" media="print">
<!--[if lt IE 8]>
<!-- Import fancy-type plugin for the sample page. -->
<link rel="stylesheet" href="../../blueprint/plugins/fancy-type/screen.css" type="text/css" media="screen, projection">
The media= part I can't fix with the theme? I tried the following:
<resource>
<content-type>text/css</content-type>
<href>screen.css</href>
<media>screen, projection</media>
</resource>
But the generated code doesn't take the media stuff into account at all.
<link rel="stylesheet" type="text/css" href="/dev/blueprint.nsf/screen.css">
<link rel="stylesheet" type="text/css" href="/dev/blueprint.nsf/fancyscreen.css">
Any suggestions on this?
InterfaceFLOR news: 'War on waste' and EPD
EPDs follow a rigorous process in accordance with agreed industry standards. In addition to sharing what is typically confidential product information, we carried out a thorough life cycle assessment (LCA) for our products, in line with ISO 14040 standards. This covers everything from raw material extraction through to disposal or recycling at the end of the product's useful life.
Read more about it here.
And, we are waging a war on waste! Click the image below for more info.

Why not use one of these social media tools to tell more people about War on Waste?
IBM WebSphere Application Server Long Filename Information Disclosure Vulnerability
Bugtraq ID: 40277
Class: Unknown
CVE: CVE-2010-0777
Remote: Yes
Local: No
Published: May 09 2010 12:00AM
Updated: May 20 2010 05:02PM
Credit: Reported by the vendor
Vulnerable: IBM Websphere Application Server 7.0 3
IBM Websphere Application Server 7.0 .9
IBM Websphere Application Server 7.0 .8
IBM Websphere Application Server 6.1.2
IBM Websphere Application Server 6.1 .9
IBM Websphere Application Server 6.1 .8
IBM Websphere Application Server 6.1 .7
IBM Websphere Application Server 6.1 .6
IBM Websphere Application Server 6.1 .5
IBM Websphere Application Server 6.1 .4
IBM Websphere Application Server 6.1 .3
IBM Websphere Application Server 6.1 .25
IBM Websphere Application Server 6.1 .23
IBM Websphere Application Server 6.1 .22
IBM Websphere Application Server 6.1 .21
IBM Websphere Application Server 6.1 .20
IBM Websphere Application Server 6.1 .2
IBM Websphere Application Server 6.1 .19
IBM Websphere Application Server 6.1 .18
IBM Websphere Application Server 6.1 .17
IBM Websphere Application Server 6.1 .15
IBM Websphere Application Server 6.1 .14
IBM Websphere Application Server 6.1 .13
IBM Websphere Application Server 6.1 .12
IBM Websphere Application Server 6.1 .11
IBM Websphere Application Server 6.1 .10
IBM Websphere Application Server 6.1 .1
IBM Websphere Application Server 6.1
IBM Websphere Application Server 6.0.2 .9
IBM Websphere Application Server 6.0.2 .7
IBM Websphere Application Server 6.0.2 .5
IBM Websphere Application Server 6.0.2 .39
IBM Websphere Application Server 6.0.2 .35
IBM Websphere Application Server 6.0.2 .33
IBM Websphere Application Server 6.0.2 .31
IBM Websphere Application Server 6.0.2 .3
IBM Websphere Application Server 6.0.2 .29
IBM Websphere Application Server 6.0.2 .27
IBM Websphere Application Server 6.0.2 .25
IBM Websphere Application Server 6.0.2 .24
IBM Websphere Application Server 6.0.2 .23
IBM Websphere Application Server 6.0.2 .22
IBM Websphere Application Server 6.0.2 .21
IBM Websphere Application Server 6.0.2 .17
IBM Websphere Application Server 6.0.2 .15
IBM Websphere Application Server 6.0.2 .13
IBM Websphere Application Server 6.0.2 .11
IBM Websphere Application Server 6.0.2 .1
IBM Websphere Application Server 6.0.2
IBM Websphere Application Server 7.0.0.7
IBM Websphere Application Server 7.0.0.5
IBM Websphere Application Server 7.0.0.1
IBM Websphere Application Server 7.0
IBM Websphere Application Server 6.1.0.29
IBM Websphere Application Server 6.1.0.27
IBM Websphere Application Server 6.0.2.41
IBM Websphere Application Server 6.0.2.19
IBM Websphere Application Server 6.0.2 Fix Pack 17
Not Vulnerable:
IBM Websphere Application Server 7.0 .11
IBM Websphere Application Server 6.1.0.31
IBM Websphere Application Server 6.0.2.43
IBM WebSphere Application Server (WAS) is prone to an information-disclosure vulnerability.
Exploiting this issue may allow an attacker to access sensitive information that may aid in further attacks.
This issue affects WAS 6.0, 6.1, and 7.0.
An attacker can exploit this issue through a browser.
Solution:
IBM has released fixes. Please see the vendor reference for details.
References:
* Fix list for IBM WebSphere Application Server V6.1 (IBM)
* IBM Websphere Homepage (IBM)
* WebSphere Application Server Web Container information disclosure (IBM)
Live demo: Online Workspace application
Username: Test User
password: test
Url: Workspace Beta
The app uses Xpages, SSJS, Jquery, AJAX posts and a good old notesagent. You can add applications and drag/drop them where you want.
There still is a big list of issues, but, the basis is there.
I've provided some dummy apps you can add. The user has no rights what so ever on the system, but for a proof of concept that's enough.
Please provide feedback on what you think about this application.
Upd. (07-05-2010):
Even though there is no feedback so far, I've made the app even better, it can now hold any website as an icon too. (demo has google as an example).
Sneak preview: Xpages and jQuery app.
I've been working on this for a while (heck, I'm an admin
Whishlist: 30 A4's
Buglist: 35 A4's
What does it do? It lists "tiles" that are listed in a view with a view control, stores the location of the tiles in a cookie (yep, that will become ajax post someday). Moving works, closing works.
It's a learning curve for me with new techniques such as Xpages and Jquery, and a "how did this work" experience in combining css with Xpages etc.
(No live demo available yet)
Xpages and Security: Can an expert please help? OWASP and Xpages
We are as Domino people not know to be attacked a lot, but still I'd like to know the following (as an admin that does some design work):
Would it be possible, now xpages uses Serverside Java, to implement the OWASP Esapi?
So for field validation etc to prevent XSS and XSRF and other threats from the OWASP top 10? Or would this be a non-issue for Domino as a webplatform?
Enterprise Security API (ESAPI)
OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Our motto is NO GUTS NO GLORY!
How ESAPI Works
Read more about the ESAPI here.
:: Next >>

