Blog

Blog Search

Search this site

Advertisements

Everything Else

Sponsor

Wood Watch Review

Google Custom Searches

Custom Blogger Search
Custom Sametime Search
Custom XPages Search

Subscribe

Subscribe via RSS

Recent Tweets

Hosting by

You are here: Home › Blog

From the Inbox: XSS and DominoValidateRedirect variable to protect your users


Tags :


Q: Chris,
We recently had a pen test done on our web servers and it came back with a few issues.  One of the issues is that our Domino server was vulnerable to cross-site redirect hacks. Is this an application code problem or the Domino server? We need to fix this to pass the audit.

IBM Domino, like any web server, has been known to vulnerabilities.  You issue of Cross-site scripting and open redirects are included and can be solved at the server level without code changes. The ini variable DominoValidateRedirect=1 will solve both of these. Used in IBM Domino 8.5.3 and later it prevents both issues with one setting.

It can however cause a few issues with the login process you should be aware of that I found back from 2013 in the Lotus forums.  You will find that as soon as you place this variable in the notes.ini and restart HTTP on the Domino server it will pass the audit for the XSS redirect issue.