Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30224
HistoryJan 09, 2014 - 12:00 a.m.

CSRF, XSS and Redirector vulnerabilities in IBM Lotus Notes Traveler

2014-01-0900:00:00
vulners.com
60

Hello 3APA3A!

These are Cross-Site Request Forgery, Cross-Site Scripting and Redirector vulnerabilities in IBM Lotus Notes Traveler. They are similar to CSRF, XSS and Redirector vulnerabilities in IBM Lotus Domino (http://securityvulns.ru/docs29060.html), which I announced at 19.05.2012 and disclosed 15.02.2013 (IBM fixed part of them at 14.03.2013), because login form in Notes Traveler is based on Domino's functionality.

CVE ID: CVE-2012-4842, CVE-2012-4844.
SecurityVulns ID: 12789.

Since vulnerabilities are similar, so I mentioned previous CVE and SecurityVulns ids. These are some of 2012's vulnerabilities, which need to be released (since holes in Domino I released earlier this year).


Affected products:

Vulnerable are IBM Lotus Notes Traveler 8.5.3 and previous versions. These vulnerabilities were fixed in Domino 9.0 (only XSS and Redirector), which was released at 14.03.2013.

All users of previous versions of Lotus Domino and Lotus Notes Traveler are vulnerable to these attacks and IBM didn't fix these holes in 8.5.x series, only in new 9.0 series. At that they didn't offer any workaround or mitigation for these issues. But I'll offer such workaround (see bellow), which can be used in previous versions of software.


Details:

Cross-Site Request Forgery (WASC-09):

Lack of captcha in login form (http://site/servlet/traveler) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for XSS attacks, for redirect, for Brute Force (which I described in other advisory) and other automated attacks. Which you can read about in the article "Attacks on unprotected login forms" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).

Examples of attacks on XSS and Redirector vulnerabilities with using of this CSRF vulnerability are provided bellow.

Cross-Site Scripting (WASC-08):

For attack it's needed to use working login and password at the site (i.e. the attacker needs to use existent account at the site - his own or someone's account, to which he got access via Brute Force vulnerability).

Exploit:

http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Notes%20Traveler%20Redirector.html

Redirector (URL Redirector Abuse) (WASC-38):

For attack it's needed to use working login and password at the site (i.e. the attacker needs to use existent account at the site - his own or someone's account, to which he got access via Brute Force vulnerability).

Exploit:

http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Notes%20Traveler%20Redirector.html


Workaround:

My workaround for these vulnerabilities is the next: turn off html-form for login and use Basic Authentication instead.


Timeline:

Full timeline of conversation with IBM read in the first advisory (http://securityvulns.ru/docs28474.html) and for similar vulnerabilities in Domino read timeline in previous advisory (http://securityvulns.ru/docs29060.html).

  • After conversation with IBM about previous vulnerabilities (mentioned in all my previous advisories concerning IBM software), during June-December 2012 I discussed these advisories with IBM. They answered very slowly and in most cases in their letters they wrote about holes related to Domino, but not to Notes Traveler.
  • At 12.12.2012 send them information about these vulnerabilities, after IBM at last answered on question concerning Notes Traveler. With those "call me maybe" employees in IBM and their slow answering and even more slow fixing of vulnerabilities, I'll not be anymore informing them about vulnerabilities. Instead I'll be selling them to interested security companies (already found such one this year).
  • At 15.02.2013 I disclosed at my site about IBM Lotus Domino.
  • At 30.12.2013 I disclosed at my site about IBM Lotus Notes Traveler (http://websecurity.com.ua/6951/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Related for SECURITYVULNS:DOC:30224