IBM Support

Security Bulletin: Aug-2012 IBM Lotus Domino Web Server Cross-Site Scripting Vulnerabilities (CVE-2012-3302, CVE-2012-3301)

Technote (troubleshooting)


Problem

A security researcher contacted IBM to report four security vulnerabilities in the IBM Lotus Domino HTTP server that permit cross site scripting. These vulnerabilities could allow remote attackers to steal cookie-based authentication credentials. While fixes for all four are included in Domino 9.0 and 8.5.3 FP3, workarounds exist for two in Domino servers 7.0 and later by enabling a single INI setting. As of 15 March 2013, IBM has not received any reports of customer issues related to these security vulnerabilities.

Resolving the problem

VULNERABILITY DETAILS: IBM Lotus Domino WebMail Cross-Site Scripting

CVE ID: CVE-2012-3302

DESCRIPTION: Lotus Domino WebMail is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the WebMail UI. To exploit this vulnerability, the remote attacker must convince a browser user of the Mail template to click on a specially-crafted URL to execute a script. This script could be used to steal the victim's cookie-based authentication credentials.

As of 15 March 2013, IBM has not received any reports of customer issues related to this security vulnerability.

Note: iNotes is not susceptible to this attack, only HTTP access to mail without iNotes installed .

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77401 for the current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

Lotus Domino 8.5.x

REMEDIATION:

Fix:

This is being tracked as SPR #SRAO8V2NW6 and is included in releases 9.0 and 8.5.3 FP3. To track availability in upcoming releases, reference the Notes/Domino Fix List Upcoming Releases.

Workaround:

To avoid this attack, administrators can set the following variable on the Domino server NOTES.INI, available in release 7.0 and later:

DominoValidateFramesetSRC=1

Mitigation(s):

Apply the workaround.


VULNERABILITY DETAILS: IBM Lotus Domino Help Cross-Site Scripting on HTTP Server

CVE ID: CVE-2012-3302

DESCRIPTION: Lotus Domino Help made available over the Domino HTTP server is vulnerable to cross-site scripting, caused by improper input validation.

It is possible for an attacker to compromise the Domino HTTP server to remotely execute arbitrary code. To exploit this vulnerability, the remote attacker must convince a browser user of the Domino Help made available by Domino HTTP to click on a specially-crafted URL.

As of 15 March 2013, IBM has not received any reports of customer issues related to this security vulnerability.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77401 for the current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

Lotus Domino 8.5.x

REMEDIATION:

Fix:

This is being tracked as SPR #SRAO8V2NW6 included in release 9.0 and 8.5.3 FP3. To track availability in upcoming releases, reference the Notes/Domino Fix List Upcoming Releases.

Workaround:

To thwart this attack, administrators may set the following variable on the Domino server notes.ini, available in release 7.0 and later:

DominoValidateFramesetSRC=1

Mitigation(s): .

Apply the workaround


VULNERABILITY DETAILS: IBM Lotus Domino HTTP Server Response Splitting

CVE ID: CVE-2012-3301

DESCRIPTION: It is possible for an attacker to compromise the Domino HTTP server when accessed by a user of Mozilla FireFox 3.0.9 or earlier to leak information. To exploit this vulnerability, the remote attacker must convince the back-level Mozilla FireFox user to click on a specially-crafted URL.

As of 15 March 2013 IBM has not received any reports of customer issues related to this security vulnerability.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77401 for the current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

Lotus Domino 8.5.x

REMEDIATION:

Fix:

This is being tracked as SPR #KLYH8W9N6W and is included in release 9.0 and 8.5.3 FP3. To track availability in upcoming releases, reference the Notes/Domino Fix List Upcoming Releases.

Workaround:

None known.

Mitigation(s):

None known


VULNERABILITY DETAILS: IBM Lotus Domino HTTP Server Response Splitting

CVE IDs: CVE-2012-3301

DESCRIPTION: It is possible for an attacker to compromise the Domino HTTP server when accessed by a browser to leak information. To exploit this vulnerability, the remote attacker must convince the browser user to click on a specially-crafted URL. This differs from the attack above only in the position of the split.

As of 15 March 2013, IBM has not received any reports of customer issues related to this security vulnerability.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77400 for the current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

Lotus Domino 8.5.x

REMEDIATION:

Fix:

This is being tracked as SPR #KLYH8W9N6W and is included in release 9.0 and 8.5.3 FP3. To track availability in upcoming releases, reference the Notes/Domino Fix List Upcoming Releases.

Workaround:

None known

Mitigation(s):

None known



References:

Complete CVSS Guide
On-line Calculator V2
CVE-2012-2174
IBM X-Force Database


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT:
All four vulnerabilities were reported to IBM by researcher Eugene Dokukin (MustLive). Please see his Web Security site for further information.

Document information

More support for: IBM Domino
Web Server

Software version: 8.5, 8.5.1, 8.5.2, 8.5.3

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1608160

Modified date: 29 March 2013


Translate this page: