lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 31 Dec 2013 22:46:18 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: CSRF,
	XSS and Redirector vulnerabilities in IBM Lotus Notes Traveler

Hello list!

These are Cross-Site Request Forgery, Cross-Site Scripting and Redirector 
vulnerabilities in IBM Lotus Notes Traveler. They are similar to CSRF, XSS 
and Redirector vulnerabilities in IBM Lotus Domino 
(http://securityvulns.ru/docs29060.html), which I announced at 19.05.2012 
and disclosed 15.02.2013 (IBM fixed part of them at 14.03.2013), because 
login form in Notes Traveler is based on Domino's functionality.

CVE ID: CVE-2012-4842, CVE-2012-4844.
SecurityVulns ID: 12789.

Since vulnerabilities are similar, so I mentioned previous CVE and 
SecurityVulns ids. These are some of 2012's vulnerabilities, which need to 
be released (since holes in Domino I released earlier this year).

-------------------------
Affected products:
-------------------------

Vulnerable are IBM Lotus Notes Traveler 8.5.3  and previous versions. These 
vulnerabilities were fixed in Domino 9.0 (only XSS and Redirector), which 
was released at 14.03.2013.

All users of previous versions of Lotus Domino and Lotus Notes Traveler are 
vulnerable to these attacks and IBM didn't fix these holes in 8.5.x series, 
only in new 9.0 series. At that they didn't offer any workaround or 
mitigation for these issues. But I'll offer such workaround (see bellow), 
which can be used in previous versions of software.

----------
Details:
----------

Cross-Site Request Forgery (WASC-09):

Lack of captcha in login form (http://site/servlet/traveler) can be used for 
different attacks - for CSRF-attack to login into account (remote login - to 
conduct attacks on vulnerabilities inside of account), for XSS attacks, for 
redirect, for Brute Force (which I described in other advisory) and other 
automated attacks. Which you can read about in the article "Attacks on 
unprotected login forms" 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).

Examples of attacks on XSS and Redirector vulnerabilities with using of this 
CSRF vulnerability are provided bellow.

Cross-Site Scripting (WASC-08):

For attack it's needed to use working login and password at the site (i.e. 
the attacker needs to use existent account at the site - his own or 
someone's account, to which he got access via Brute Force vulnerability).

Exploit:

http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Notes%20Traveler%20Redirector.html

Redirector (URL Redirector Abuse) (WASC-38):

For attack it's needed to use working login and password at the site (i.e. 
the attacker needs to use existent account at the site - his own or 
someone's account, to which he got access via Brute Force vulnerability).

Exploit:

http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Notes%20Traveler%20Redirector.html

-----------------
Workaround:
-----------------

My workaround for these vulnerabilities is the next: turn off html-form for 
login and use Basic Authentication instead.

------------
Timeline:
------------ 

Full timeline of conversation with IBM read in the first advisory 
(http://securityvulns.ru/docs28474.html) and for similar vulnerabilities in 
Domino read timeline in previous advisory 
(http://securityvulns.ru/docs29060.html).

- After conversation with IBM about previous vulnerabilities (mentioned in 
all my previous advisories concerning IBM software), during June-December 
2012 I discussed these advisories with IBM. They answered very slowly and in 
most cases in their letters they wrote about holes related to Domino, but 
not to Notes Traveler.
- At 12.12.2012 send them information about these vulnerabilities, after IBM 
at last answered on question concerning Notes Traveler. With those "call me 
maybe" employees in IBM and their slow answering and even more slow fixing 
of vulnerabilities, I'll not be anymore informing them about 
vulnerabilities. Instead I'll be selling them to interested security 
companies (already found such one this year).
- At 15.02.2013 I disclosed at my site about IBM Lotus Domino.
- At 30.12.2013 I disclosed at my site about IBM Lotus Notes Traveler 
(http://websecurity.com.ua/6951/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ