wissel.net

Usability - Productivity - Business - The web - Singapore & Twins

XSS Vulnerabilities in Domino


An IBM Technote updated on 15 Aug 2012 points to a set of XSS vulnerabilities in the Lotus Domino server. You also can read the disclosure on seclist.org about that. But first go to your server configuration document and add:
DominoValidateFramesetSRC=1
Welcome back (You don't edit the notes.ini directly don't you!). When looking at XSS vulnerabilities, they follow the same pattern as SQL injections: Input that has been provided by the user is not fully sanitised and used for output generation. In web applications the " usual suspects" for such attacks are:
  • Framesets
  • URL parameters
  • Error and redirection pages
  • Form submissions
Finding all those is quite a task for both the developers and the attackers since URLs can be encoded in many different ways (@URLDecode is your friend). Luckily (for the first) and unfortunately (for the later) there is help available. Poking around in Domino made me add a new server rules ( Update thx to Sven to point that out) (not needed on Domino 8.5.4++):
  • Type of rule: HTTP response headers
  • Incoming URL pattern: */xsp/.ibmxspres/*
  • HTTP response codes: 404
  • Expires header: Don't add header
  • Custom header: Content-Type : text/plain (overwrite)
  • Type of rule: HTTP response headers
  • Incoming URL pattern: */xsp/.ibmmodres/*
  • HTTP response codes: 404
  • Expires header: Don't add header
  • Custom header: Content-Type : text/plain (overwrite)
Of course a server rule requires that you use the "Internet sites" configuration - since that configuration option was introduced in R6.0 it is high time you use them.
As usual YMMV

Posted by on 06 September 2012 | Comments (1) | categories: Show-N-Tell Thursday

Comments

  1. posted by Sven Hasselbach on Tuesday 11 September 2012 AD:
    Thanks for this!

    But there is still another vulnerability:

    */xsp/.ibmmodres/* has the same problem (The XSS only works inside a database URL f.e. domcfg.nsf)

    F.e.
    { Link }

    You have to add another rule for this one.