Home / os / wins2003

IBM Lotus Domino 8.5.4 / 8.5.3 Cross Site Scripting

Posted on 29 May 2015

Hello list! I want to warn you about Cross-Site Scripting vulnerability in IBM Domino. This is one from many vulnerabilities in Domino, which I've found at 03.05.2012. In previous years I wrote about multiple vulnerabilities in Lotus Domino (http://securityvulns.ru/docs29277.html) and Lotus Notes Traveler (http://securityvulns.ru/docs30224.html). During 2012-2013 I informed IBM that have other holes in Domino (as this XSS), besides previous holes, but they were not interested. ------------------------- Affected products: ------------------------- Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4 (in which I tested) and previous versions. Versions Domino 9.0 and 9.0.1 also must be vulnerable (since IBM hasn't fix it earlier). ------------------------- Affected vendors: ------------------------- IBM Domino (formerly IBM Lotus Domino) http://www-03.ibm.com/software/products/us/en/ibmdomino/ ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/mail/user.nsf/fc9368429d022147c3256c6a005431ff/3c575ad7c19a9ca0c22572b3002d5087/Body/%22;}alert(document.cookie);function%20a(){a=%22 For conducting XSS attack it's needed to know hashes in address of a letter. They can be found via information leakage (i.e. embedded image) or via other XSS vulnerability. ------------ Timeline: ------------ Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html). - During 16.05-20.05.2012 I've wrote announcements about multiple vulnerabilities in IBM software at my site. - During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM site. - At 31.05.2012 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products). - At 18.08.2012 I've reminded IBM about multiple holes and gave enough arguments to fix them. - At 14.04.2013 I've again remind IBM about Brute Force and Insufficient Authentication holes. - At 23.04.2013 IBM answered that they would not fix Brute Force and Insufficient Authentication holes and don't interested in this XSS. - During 15.02.2013-26.04.2013 I disclosed at my site about previous vulnerabilities IBM Lotus Domino. - At 26.05.2015 I've disclosed this vulnerability at my site (http://websecurity.com.ua/7783/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

 

TOP