mustlive at websecurity
Sep 2, 2012, 11:02 AM
Post #1 of 1
XSS and IL vulnerabilities in IBM Lotus Domino
I want to warn you about Cross-Site Scripting and Information Leakage
vulnerabilities in IBM Lotus Domino. At 15th of August IBM released the
advisory concerning these Cross-Site Scripting vulnerabilities.
CVE ID: CVE-2012-3302.
Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. XSS
vulnerabilities will be fixed in Domino 8.5.4 and IBM are still working on
Information Leakage and other vulnerabilities, about which I've informed
For fixes, workarounds and mitigations reference to IBM Security Bulletin:
This XSS in March 2008 worked in such way:
possible that my German client informed IBM in 2008 about multiple holes,
which I found in Domino). But there is a possibility to attack via data: and
Information Leakage (WASC-13):
At page https://site/domcfg.nsf, which is accessible without authentication,
there is a leakage of information about Web Server Configuration. Such
situation I saw at many sites on Lotus Domino.
- During 16.05-20.05 I've wrote announcements about multiple vulnerabilities
in IBM software at my site.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM
site. No reaction from "IT security".
- At 20.05 I've contacted "Software support". Received formal answer.
- At 20.05 informed support, that this is security issues (not something
small, which they can just ignore) and they need to sent it to security
department. Again received formal answer - this time with "call me maybe"
paragraph. In result IBM employees just ignored.
- At 30.05 I've contacted IBM PSIRT directly. They said they didn't received
anything, not from me via contact form, nor from support. The same as they
didn't do anything (no security audit of their software) to make these
multiple vulnerabilities in multiple IBM software to go to the wild.
- At 31.05 I've resend five advisories, which they received and said they
would send them to the developers (of Lotus products).
- At 06.06, after silence from PSIRT, I've reminded them. They said there is
still no info from developers.
- At 10.07, after more then month of silence since last time from PSIRT,
I've reminded them. No answer from them. This looks like IBM developers have
decided to ignore these vulnerabilities.
- At 14.07 I've informed IBM PSIRT, that due to their ignoring I'd plan
public disclosure of these vulnerabilities on July.
- At 18.07, 12:06 AM, PSIRT answered (after 1,5 months of silence) and said
that previous day they had meeting with developers, which were working on
these issues, and they started to fix them. No concrete deadline, they just
- At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP
Response Splitting holes - just few from total amount of holes).
- At 27.08.2012 I've disclosed these vulnerabilities (first advisory) at my
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/