Hello 3APA3A!
I want to warn you about multiple Cross-Site Scripting vulnerabilities in IBM Lotus Domino.
Last year I've announced multiple vulnerabilities in IBM software and after IBM fixed many of them, I've disclosed them. These are new vulnerabilities in Domino, which I've found at 03.05.2012 together with other holes.
In August 2012 I've wrote about vulnerabilities in IBM Lotus Domino, which were related to Domino WebMail. I'll add new vulnerabilities in WebMail to previous two holes. Which had CVE-2012-3302 and described in IBM Security Bulletin: Aug-2012 IBM Lotus Domino Web Server Cross-Site Scripting Vulnerabilities (http://www-01.ibm.com/support/docview.wss?uid=swg21608160). IBM haven't created new CVE and new advisory for these vulnerabilities (at least they didn't tell me and I didn't find it at their site).
Vulnerable are IBM Lotus Domino 8.5.4 and previous versions. These vulnerabilities have been fixed in Domino 9.0. Which was recently released. So every user of Domino can upgrade to latest 9.0 version or to use workaround for previous versions (provided bellow).
Cross-Site Scripting (WASC-08):
The attack is possible via data: and vbscript: URI.
There is a workaround for these XSS vulnerabilities:
To avoid this attack, administrators can set the following variable on the Domino server NOTES.INI, available in release 7.0 and later:
DominoValidateFramesetSRC=1
This method can be used for versions prior to Domino 9 (where these XSS holes were fixed).
Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua