XSS flaw exposed in IBM Domino enterprise platform

A cross-site scripting vulnerability, allegedly ignored by IBM, has been revealed in the public domain.


A cross-site scripting vulnerability in IBM Domino which has existed for years has been publicly revealed.

Revealed last week by a security researcher from Ukraine-based MustLive, the security flaw could cause information leaks on the IBM Domino platform.

IBM Domino, formerly IBM Lotus Domino, is a platform used in hosting social business applications. The scalable enterprise platform is also used in controlling BYOD policies and monitoring and features advanced clustering, server fault recovery and diagnostic network tools. According to the researcher, the vulnerability is present in versions 8.5.3, 8.5.4 and previous types. Versions Domino 9.0 and 9.0.1 "must" also be vulnerable according to MustLive, as IBM neglected to fix the problem earlier.

Originally discovered in 2012, the XSS vulnerability relies on brute force and insufficient authentication bugs to exploit. If exploited, the flaw can be used to grab information concerning Web Server configuration, which in turn can be used for more advanced attacks or to enable attackers to inject client-side script into web pages.

"For conducting XSS attack it's needed to know hashes in address of a letter. They can be found via information leakage (i.e. embedded image) or via another XSS vulnerability," the advisory states.

The researcher has exposed multiple vulnerabilities in the platform over the past three years. Must Live wrote five advisories to IBM, of which there was allegedly no response. After submitting the advisories to different departments and over a month of silence, Must Live said IBM developers appeared to "have decided to ignore these vulnerabilities."

Eventually IBM responded to the researcher and said the firm would "not fix brute force and insufficient authentication holes," and therefore the XSS vulnerability was not of interest. Eventually, in response, Must Live issued intent to disclosure publicly.

ZDNet has reached out to IBM and will update if we hear back.

Read on: In the world of security

Read on: Fixes and Flaws