IBM Lotus Domino HTTP Response isolation and Cross-Site Scripting

Release date:
Updated on:

Affected Systems:
IBM Lotus Domino 8.x
Description:
--------------------------------------------------------------------------------
Cve id: CVE-2012-3301, CVE-2012-3302

IBM Lotus Domino is a server product that provides enterprise-level email, collaboration, and custom application platforms.

IBM Lotus Domino versions earlier than 8.5.4 have multiple implementation vulnerabilities that can be exploited by malicious users to perform HTTP Response separation and XSS attacks.

1) Some unknown inputs are returned to the user if they are not properly filtered. you can insert an HTTP header and return it to the user in response. Attackers can execute arbitrary HTML and script code in the browsers of affected sites.

2) If the input related to the help and Web mail is not properly filtered, it is returned to the user, which can be exploited to execute arbitrary HTML and script code in the user browser of the affected site.

<* Source: Jean Pascal Pereira

Link: http://secunia.com/advisories/50330/
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

IBM
---
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.ers.ibm.com/