Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32306
HistoryJul 05, 2015 - 12:00 a.m.

XSS vulnerability in IBM Domino

2015-07-0500:00:00
vulners.com
19
JSON

Hello 3APA3A!

I want to warn you about Cross-Site Scripting vulnerability in IBM Domino. This is one from many vulnerabilities in Domino, which I've found at 03.05.2012. In previous years I wrote about multiple vulnerabilities in Lotus Domino (http://securityvulns.ru/docs29277.html) and Lotus Notes Traveler (http://securityvulns.ru/docs30224.html).

During 2012-2013 I informed IBM that have other holes in Domino (as this XSS), besides previous holes, but they were not interested.

Affected products:

Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4 (in which I tested) and previous versions. Versions Domino 9.0 and 9.0.1 also must be vulnerable (since IBM hasn't fix it earlier).

Affected vendors:

IBM Domino (formerly IBM Lotus Domino)
http://www-03.ibm.com/software/products/us/en/ibmdomino/

Details:

Cross-Site Scripting (WASC-08):

http://site/mail/user.nsf/fc9368429d022147c3256c6a005431ff/3c575ad7c19a9ca0c22572b3002d5087/Body/%22;}alert(document.cookie);function%20a(){a=%22

For conducting XSS attack it's needed to know hashes in address of a letter. They can be found via information leakage (i.e. embedded image) or via other XSS vulnerability.

Timeline:

Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html).

  • During 16.05-20.05.2012 I've wrote announcements about multiple vulnerabilities in IBM software at my site.
  • During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM site.
  • At 31.05.2012 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products).
  • At 18.08.2012 I've reminded IBM about multiple holes and gave enough arguments to fix them.
  • At 14.04.2013 I've again remind IBM about Brute Force and Insufficient Authentication holes.
  • At 23.04.2013 IBM answered that they would not fix Brute Force and Insufficient Authentication holes and don't interested in this XSS.
  • During 15.02.2013-26.04.2013 I disclosed at my site about previous vulnerabilities IBM Lotus Domino.
  • At 26.05.2015 I've disclosed this vulnerability at my site (http://websecurity.com.ua/7783/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON