IBM Lotus Domino Web Server Stack Overflow in Processing HTTP 'Accept-Language' Header Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1020098 |
|
SecurityTracker URL: http://securitytracker.com/id/1020098
|
|
CVE Reference:
CVE-2008-2240
(Links to External Site)
|
Date: May 22 2008
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.0, 8.0
|
Description:
A vulnerability was reported in IBM Lotus Domino. A remote user can execute arbitrary code on the target system.
A remote user can send a specially crafted HTTP 'Accept-Language' header value to trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.
IBM has assigned SPR# MKIN79DR9S to this vulnerability.
The original advisory is available at:
http://www.mwrinfosecurity.com/publications/mwri_ibm-lotus-domino-accept-language-stack-overflow_2008-05-20.pdf
MWR InfoSecurity reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system.
[Editor's note: The vendor is reporting the vulnerability as having only a denial of service impact.]
|
Solution:
The vendor has issued a fix (Domino 7.0.3 Fix Pack 1 (FP1) and 8.0.1)
The vendor's advisory is available at:
http://www-1.ibm.com/support/docview.wss?uid=swg21303057
|
Vendor URL: www-1.ibm.com/support/docview.wss?uid=swg21303057 (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 22 May 2008 00:21:36 -0400
Subject: IBM Lotus Domino
|
http://www.mwrinfosecurity.com/publications/mwri_ibm-lotus-domino-accept-language-stack-overflow_2008-05-20.pdf
http://www-1.ibm.com/support/docview.wss?uid=swg21303057
CVE-2008-2240
|
|
