copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.0795 - [Win][Linux][Solaris][AIX] IBM Lotus...
 

ESB-2012.0795 - [Win][Linux][Solaris][AIX] IBM Lotus Domino Web Server: Multiple vulnerabilities
Date: 21 August 2012
References: ESB-2012.0560  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0795
     IBM Lotus Domino Web Server Cross-Site Scripting Vulnerabilities
                              21 August 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Lotus Domino Web Server
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-3302 CVE-2012-3301 CVE-2012-2174

Reference:         ESB-2012.0560

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21608160

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Aug-2012 IBM Lotus Domino Web Server Cross-Site Scripting 
Vulnerabilities (CVE-2012-3302, CVE-2012-3301) 

Document information
Lotus Domino Web Server

Software version:
8.5, 8.5.1, 8.5.2, 8.5.3

Operating system(s):
AIX, AIX 64bit, IBM i, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, 
Windows 64bit, i5/OS, z/OS

Reference #:
1608160

Modified date:
2012-08-15

Technote (troubleshooting)

Problem

A security researcher contacted IBM to report four security vulnerabilities in
the IBM Lotus Domino HTTP server that permit cross site scripting. These 
vulnerabilities could allow remote attackers to steal cookie-based 
authentication credentials. While fixes for all four are planned for inclusion
in Domino 8.5.4, workarounds exist for two in Domino servers 7.0 and later 
by enabling a single INI setting. As of 15 August 2012, IBM has not received 
any reports of customer issues related to these security vulnerabilities. 
Resolving the problem

VULNERABILITY DETAILS: IBM Lotus Domino WebMail Cross-Site Scripting

CVE ID: CVE-2012-3302

DESCRIPTION: Lotus Domino WebMail is vulnerable to cross-site scripting, 
caused by improper validation of user-supplied input by the WebMail UI. To 
exploit this vulnerability, the remote attacker must convince a browser user 
of the Mail template to click on a specially-crafted URL to execute a script.
This script could be used to steal the victim's cookie-based authentication 
credentials.

As of 15 August 2012, IBM has not received any reports of customer issues 
related to this security vulnerability.

Note: iNotes is not susceptible to this attack, only HTTP access to mail 
without iNotes installed .

CVSS: Using the Common Vulnerability Scoring System (CVSS) v2, the security 
ratings for these issues are:

CVSS Base Score: 4.3 CVSS Temporal Score: See 
http://xforce.iss.net/xforce/xfdb/77401 for the current score. CVSS 
Environmental Score: Undefined CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

Lotus Domino 8.5.x

REMEDIATION:

Fix:

This is being tracked as SPR #SRAO8V2NW6 and is planned for release 8.5.4. To
track availability in upcoming releases, reference the Notes/Domino Fix List 
Upcoming Releases.

Workaround:

To avoid this attack, administrators can set the following variable on the 
Domino server NOTES.INI, available in release 7.0 and later:

    DominoValidateFramesetSRC=1

Mitigation(s):

Apply the workaround.

VULNERABILITY DETAILS: IBM Lotus Domino Help Cross-Site Scripting on HTTP 
Server

CVE ID: CVE-2012-3302

DESCRIPTION: Lotus Domino Help made available over the Domino HTTP server is 
vulnerable to cross-site scripting, caused by improper input validation.

It is possible for an attacker to compromise the Domino HTTP server to 
remotely execute arbitrary code. To exploit this vulnerability, the remote 
attacker must convince a browser user of the Domino Help made available by 
Domino HTTP to click on a specially-crafted URL.

As of 15 August 2012, IBM has not received any reports of customer issues 
related to this security vulnerability.

CVSS: Using the Common Vulnerability Scoring System (CVSS) v2, the security 
ratings for these issues are:

CVSS Base Score: 4.3 CVSS Temporal Score: See 
http://xforce.iss.net/xforce/xfdb/77401 for the current score. CVSS 
Environmental Score: Undefined CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

Lotus Domino 8.5.x

REMEDIATION:

Fix:

This is being tracked as SPR #SRAO8V2NW6 and is planned for release 8.5.4. To
track availability in upcoming releases, reference the Notes/Domino Fix List 
Upcoming Releases.

Workaround:

To thwart this attack, administrators may set the following variable on the 
Domino server notes.ini, available in release 7.0 and later:

    DominoValidateFramesetSRC=1

Mitigation(s):

Apply the workaround.

VULNERABILITY DETAILS: IBM Lotus Domino HTTP Server Response Splitting

CVE ID: CVE-2012-3301

DESCRIPTION: It is possible for an attacker to compromise the Domino HTTP 
server when accessed by a user of Mozilla FireFox 3.0.9 or earlier to leak 
information. To exploit this vulnerability, the remote attacker must convince
the back-level Mozilla FireFox user to click on a specially-crafted URL.

As of 15 August 2012, IBM has not received any reports of customer issues 
related to this security vulnerability.

CVSS: Using the Common Vulnerability Scoring System (CVSS) v2, the security 
ratings for these issues are:

CVSS Base Score: 4.3 CVSS Temporal Score: See 
http://xforce.iss.net/xforce/xfdb/77401 for the current score. CVSS 
Environmental Score: Undefined CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

Lotus Domino 8.5.x

REMEDIATION:

Fix:

This is being tracked as SPR #KLYH8W9N6W and is planned for release 8.5.4. To
track availability in upcoming releases, reference the Notes/Domino Fix List 
Upcoming Releases.

Workaround:

None known.

Mitigation(s):

None known

VULNERABILITY DETAILS: IBM Lotus Domino HTTP Server Response Splitting

CVE IDs: CVE-2012-3301

DESCRIPTION: It is possible for an attacker to compromise the Domino HTTP 
server when accessed by a browser to leak information. To exploit this 
vulnerability, the remote attacker must convince the browser user to click on
a specially-crafted URL. This differs from the attack above only in the 
position of the split.

As of 15 August 2012, IBM has not received any reports of customer issues 
related to this security vulnerability.

CVSS: Using the Common Vulnerability Scoring System (CVSS) v2, the security 
ratings for these issues are:

CVSS Base Score: 4.3 CVSS Temporal Score: See 
http://xforce.iss.net/xforce/xfdb/77400 for the current score. CVSS 
Environmental Score: Undefined CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

Lotus Domino 8.5.x

REMEDIATION:

Fix:

This is being tracked as SPR #KLYH8W9N6W and is planned for release 8.5.4. To
track availability in upcoming releases, reference the Notes/Domino Fix List 
Upcoming Releases.

Workaround:

None known

Mitigation(s):

None known

References:

Complete CVSS Guide On-line Calculator V2 CVE-2012-2174 IBM X-Force Database

RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security 
Incident Response Blog

ACKNOWLEDGEMENT: All four vulnerabilities were reported to IBM by researcher 
Eugene Dokukin (MustLive). Please see his Web Security site for further 
information.

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of
IBM trademarks is available on the Web at "Copyright and trademark 
information" at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUDL4qe4yVqjM2NGpAQI0bRAAvgtt7/xSr1UNuqSGsKeoQXXrNaxlrPb7
+vMYjNxjMe6kuVI/Skkc7el4bwr+9GrKjIRT2LY6MfjbT5u77586pHjk8Ui6yOJ+
0sSoCRMKQIGpcBEvYJyeaXwrooSq+OqhOIy3cDdhhKbeU++W2F4FYLTL4sxDksEo
lcvXfgVqNQtWc+bjfh4Wzx8iqGfte29oQ7yfT0CsIAjUzvxS1b3gqpVvW0qOG9TI
KrjdU0K473kR2cm7kT9/hurB4V/ttk2fsHbX4eX2YHSePfk9v/io9yWZ14xqqmjU
b4Hyh5XhXoH5B530Z/r/qlFRtNi/ZvY3+5usrnwtmcOXHrsIL41aGhyVioURuqye
fL+RWBr9IIGMUnMMgwhzayJq366pMsfRcXKAHp+b2j5y6GLjXh4RT4shd+811L4x
U3UPffEs8xRAA84UJghB4HOUZ/U61UKonp6XVi7h86DfELHGoqZbYRS+nj2gr9Lr
KK8PC7Wyq3VT3YvIkgGPLyFKjuI1fAiCML2sfc7sOelboEWtQqrZK+y4clSCt+ao
T07+dEGMVmY0Bfe7AwJcbYpBnkJSc89qDghi4+AE3FHOu7C8OuunkM6ifPzh3ozV
CTUytlIW4/6JS8A7GP2a7eauSdZ3lpL4sDnxtimWoecMobkeNVUZzaqfdvpU3h3v
GSwRjpc6ljE=
=TrLY
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=16236