[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00a301cf0669$63081300$9b7a6fd5@pc>
Date: Tue, 31 Dec 2013 22:46:18 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: CSRF,
XSS and Redirector vulnerabilities in IBM Lotus Notes Traveler
Hello list!
These are Cross-Site Request Forgery, Cross-Site Scripting and Redirector
vulnerabilities in IBM Lotus Notes Traveler. They are similar to CSRF, XSS
and Redirector vulnerabilities in IBM Lotus Domino
(http://securityvulns.ru/docs29060.html), which I announced at 19.05.2012
and disclosed 15.02.2013 (IBM fixed part of them at 14.03.2013), because
login form in Notes Traveler is based on Domino's functionality.
CVE ID: CVE-2012-4842, CVE-2012-4844.
SecurityVulns ID: 12789.
Since vulnerabilities are similar, so I mentioned previous CVE and
SecurityVulns ids. These are some of 2012's vulnerabilities, which need to
be released (since holes in Domino I released earlier this year).
-------------------------
Affected products:
-------------------------
Vulnerable are IBM Lotus Notes Traveler 8.5.3 and previous versions. These
vulnerabilities were fixed in Domino 9.0 (only XSS and Redirector), which
was released at 14.03.2013.
All users of previous versions of Lotus Domino and Lotus Notes Traveler are
vulnerable to these attacks and IBM didn't fix these holes in 8.5.x series,
only in new 9.0 series. At that they didn't offer any workaround or
mitigation for these issues. But I'll offer such workaround (see bellow),
which can be used in previous versions of software.
----------
Details:
----------
Cross-Site Request Forgery (WASC-09):
Lack of captcha in login form (http://site/servlet/traveler) can be used for
different attacks - for CSRF-attack to login into account (remote login - to
conduct attacks on vulnerabilities inside of account), for XSS attacks, for
redirect, for Brute Force (which I described in other advisory) and other
automated attacks. Which you can read about in the article "Attacks on
unprotected login forms"
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).
Examples of attacks on XSS and Redirector vulnerabilities with using of this
CSRF vulnerability are provided bellow.
Cross-Site Scripting (WASC-08):
For attack it's needed to use working login and password at the site (i.e.
the attacker needs to use existent account at the site - his own or
someone's account, to which he got access via Brute Force vulnerability).
Exploit:
http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Notes%20Traveler%20Redirector.html
Redirector (URL Redirector Abuse) (WASC-38):
For attack it's needed to use working login and password at the site (i.e.
the attacker needs to use existent account at the site - his own or
someone's account, to which he got access via Brute Force vulnerability).
Exploit:
http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Notes%20Traveler%20Redirector.html
-----------------
Workaround:
-----------------
My workaround for these vulnerabilities is the next: turn off html-form for
login and use Basic Authentication instead.
------------
Timeline:
------------
Full timeline of conversation with IBM read in the first advisory
(http://securityvulns.ru/docs28474.html) and for similar vulnerabilities in
Domino read timeline in previous advisory
(http://securityvulns.ru/docs29060.html).
- After conversation with IBM about previous vulnerabilities (mentioned in
all my previous advisories concerning IBM software), during June-December
2012 I discussed these advisories with IBM. They answered very slowly and in
most cases in their letters they wrote about holes related to Domino, but
not to Notes Traveler.
- At 12.12.2012 send them information about these vulnerabilities, after IBM
at last answered on question concerning Notes Traveler. With those "call me
maybe" employees in IBM and their slow answering and even more slow fixing
of vulnerabilities, I'll not be anymore informing them about
vulnerabilities. Instead I'll be selling them to interested security
companies (already found such one this year).
- At 15.02.2013 I disclosed at my site about IBM Lotus Domino.
- At 30.12.2013 I disclosed at my site about IBM Lotus Notes Traveler
(http://websecurity.com.ua/6951/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists