[ERPSCAN-13-010] Lotus Domino Web Administrator – Cross Site Command Execution
Application: Lotus Domino
Versions Affected: Lotus Domino Web Administrator 6.5 and 8.5.1
Vendor URL: IBM
Bugs: CSRF, Command execution
Vendor response: 22.04.2010
Date of Public Advisory: 24.03.2013
CVE number: CVE-2013-0489
Author: Alexander Polyakov (ERPScan)
Lotus Domino is vulnerable to CSRF attack which can de used for OS command execution in webadmin.nsf database by using Quick Console.
Lotus Domino is an IBM server product that provides enterprise-grade e-mail, collaboration capabilities, and custom application platform. Domino began life as Lotus Notes Server, the server component of Lotus Development Corporation’s client-server messaging technology. It can be used as an application server for Lotus Notes applications and/or as a web server. It also has a built-in database system in the format of NSF.
Server is vulnerable to Cross Site Request Forgery attack. One of the ways to execute this attack is Cross Site Command Execution. By sending a special link to the administrator, an attacker can execute any command on the OS where Lotus is installed and get the result of the executed command.
An attacker can give the administrator the following link:
URL=http://server/webadmin.nsf/agReadConsoleData$UserL2?OpenAgent&Mode=QuickConsole&Command=load cmd /c net user hack hack123 /add > C:\Lotus\Domino\data\domino\html\download\filesets\netuser.png&1271932906681
If the administrator clicks this link, a command is executed which will add a new user to the OS. The attacker can also check if it executes by reading the file http://server/download/filesets/netuser.png
An attacker can use CSRF vulnerability by sending a link on malicious page to an unaware user via e-mail, messaging, or social networks. The end user browser has no way to know that the page should not be trusted, and will execute the script. Thus, an attacker can gain access to user session and gain control over the business-critical information which can be accessed by the victim.