Sunday, September 20, 2009

vowe dot net :: Lotus Notes RSS reader unsafe

Hmm – see the full post for more details

The vulnerability is universal. You don't need any exploit. Notes downloads HTML code embedded into the RSS feed, dumps it into the file system and asks Internet Explorer to interpret it. Since the file is local, IE treats it as local code. From there you can do pretty much everything that is possible with Javascript, Flash or other embedded code.

vowe dot net :: Lotus Notes RSS reader unsafe

No comments: