Notes.ini Entry
Name:
DominoValidateRedirectTo
Syntax
DominoValidateRedirectTo=
0 / 1
Applies to:
Servers
Add-on:
First Release:
9.0.1 FP4
Obsolete since:
Category:
HTTP, Web, Login
Default:
None
UI equivalent:
None
Description:
SPR# KLYH8WBPRN - Addressed the following 2 issues: IBM Lotus Domino Web Server Open Redirect CVE ID: CVE-2012-4842 and IBM Lotus Domino Cross-site Scripting CVE ID: CVE-2012-4844. See technote 1614077 for more details. A notes.ini parameter DominoValidateRedirectTo=1 must be set in the Domino Server Notes.ini to enable both of theses fixes.
When the ini is set, and when the login page html is generated by the Domino Server the URL set in hidden Redirecto field should have an extra temporary query string argument appended to it. That argument appears as $$_vrd2=<validation token>. When the form is posted the login processing will use that token to validate if the redirect to URL to make sure it has not been hacked/changed. If the token is not present or the URL cannot be validated then the login request is rejected. The extra query argument is stripped off before doing the redirection after login.
If for some reason the login form has some other way of specifying the redirect to URL (the domino server does not generate it or is overridden with something else). The the token will not be present and the login request is rejected.
So for example, if the incoming URL that causes a login page to appear looks like /foo.nsf?Open, the redirectto url in the login form should look like /foo.nsf?Open&$$_vrd2=<validation token>
When the form is posted the login processing will take the <validation token> and verify it before login, if okay we do the login and redirect back to the orginal url /foo.nsf?Open. If the validation fails then login fails.
In your case the redirectto field should be set to /?$$_vrd2=<validation token> and if login is successful then we would redirect back to / and strip off the ?$$_vrd2 query arg.
