Lotus Domino 8.5.4 Cross Site Scripting

Type packetstorm
Reporter MustLive
Modified 2013-03-27T00:00:00


                                            `Hello list!  
I want to warn you about multiple Cross-Site Scripting vulnerabilities in  
IBM Lotus Domino.  
Last year I've announced multiple vulnerabilities in IBM software and after  
IBM fixed many of them, I've disclosed them. These are new vulnerabilities  
in Domino, which I've found at 03.05.2012 together with other holes.  
In August 2012 I've wrote about vulnerabilities in IBM Lotus Domino, which  
were related to Domino WebMail. I'll add new vulnerabilities in WebMail to  
previous two holes. Which had CVE-2012-3302 and described in IBM Security  
Bulletin: Aug-2012 IBM Lotus Domino Web Server Cross-Site Scripting  
Vulnerabilities (http://www-01.ibm.com/support/docview.wss?uid=swg21608160).  
IBM haven't created new CVE and new advisory for these vulnerabilities (at  
least they didn't tell me and I didn't find it at their site).  
Affected products:  
Vulnerable are IBM Lotus Domino 8.5.4 and previous versions. These  
vulnerabilities have been fixed in Domino 9.0. Which was recently released.  
So every user of Domino can upgrade to latest 9.0 version or to use  
workaround for previous versions (provided bellow).  
Cross-Site Scripting (WASC-08):  
The attack is possible via data: and vbscript: URI.  
There is a workaround for these XSS vulnerabilities:  
To avoid this attack, administrators can set the following variable on the  
Domino server NOTES.INI, available in release 7.0 and later:  
This method can be used for versions prior to Domino 9 (where these XSS  
holes were fixed).  
Full timeline read in the first advisory  
- During 16.05-20.05.2012 I've wrote announcements about multiple  
vulnerabilities in IBM software at my site.  
- During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM  
- At 31.05.2012 I've resend five advisories to IBM PSIRT, which they  
received and said they would send them to the developers (of Lotus  
- At 15.08.2012 IBM released their advisory (above-mentioned) - just few  
from total amount of holes.  
- At 12.12.2012 after IBM fixed part of the holes, which I sent them in May,  
I sent them new vulnerabilities in Lotus Domino.  
- At 15.12.2012 remind IBM about last holes. No answer.  
- At 02.03.2013 again remind IBM about last holes - since more then 2,5  
months there was no answer from them.  
- At 08.03.2013 IBM answered, holes will be fixed in Domino 9.0.  
- At 25.03.2013 I've disclosed these vulnerabilities at my site  
Best wishes & regards,  
Administrator of Websecurity web site