XSS Vulnerabilities in Domino

An IBM Technote updated on 15 Aug 2012 points to a set of XSS vulnerabilities in the Lotus Domino server. You also can read the disclosure on seclist.org about that. But first go to your server configuration document and add:
DominoValidateFramesetSRC=1
Welcome back (You don't edit the notes.ini directly don't you!). When looking at XSS vulnerabilities, they follow the same pattern as SQL injections: Input that has been provided by the user is not fully sanitised and used for output generation. In web applications the " usual suspects" for such attacks are:

• Framesets
• URL parameters
• Error and redirection pages
• Form submissions

Finding all those is quite a task for both the developers and the attackers since URLs can be encoded in many different ways (@URLDecode is your friend). Luckily (for the first) and unfortunately (for the later) there is help available. Poking around in Domino made me add a new server rules ( Update thx to Sven to point that out) (not needed on Domino 8.5.4++):

• Type of rule: HTTP response headers
• Incoming URL pattern: */xsp/.ibmxspres/*
• HTTP response codes: 404
• Expires header: Don't add header
• Custom header: Content-Type : text/plain (overwrite)

• Type of rule: HTTP response headers
• Incoming URL pattern: */xsp/.ibmmodres/*
• HTTP response codes: 404
• Expires header: Don't add header
• Custom header: Content-Type : text/plain (overwrite)

Of course a server rule requires that you use the "Internet sites" configuration - since that configuration option was introduced in R6.0 it is high time you use them.
As usual YMMV