From the Inbox: XSS and DominoValidateRedirect variable to protect your users

Tags :

Q: Chris,
We recently had a pen test done on our web servers and it came back with a few issues.  One of the issues is that our Domino server was vulnerable to cross-site redirect hacks. Is this an application code problem or the Domino server? We need to fix this to pass the audit.

IBM Domino, like any web server, has been known to vulnerabilities.  You issue of Cross-site scripting and open redirects are included and can be solved at the server level without code changes. The ini variable DominoValidateRedirect=1 will solve both of these. Used in IBM Domino 8.5.3 and later it prevents both issues with one setting.

It can however cause a few issues with the login process you should be aware of that I found back from 2013 in the Lotus forums.  You will find that as soon as you place this variable in the notes.ini and restart HTTP on the Domino server it will pass the audit for the XSS redirect issue.