IBM Domino Web Administrator (webadmin.nsf) has multiple cross-site scripting vulnerabilities of low CVSS score. These vulnerabilities do not exist in the Domino Administrator client. To prevent the potential for these attacks, migrate away from Domino Web Administrator. Instead use the Domino Administrator client or the mitigations listed below.
Domino Web Administrator is being deprecated. No new functions will be added and IBM Support will not escalate issues reported. Customers are advised to use the fully functional Domino Administrator client.
There are so many levels of "WTF" in that post that it is difficult to pick a place to start this rant......The way in which this "announcement" percolated out? The IBM promise of "mobile first"? The fact that even IBM have made the web their defacto standard for admin tools (see websphere)? So many mistakes, so little time.
Now, there is a "fix" in that post:
Access Domino Web Administrator from a browser session which is used only for this purpose. Do not use this session to visit web sites other than the server being administered. Do not use other web applications during this session; for instance, do not read email.
And I guess we could all do that (and maybe even should). But the fact that IBM have declared they are deprecating webadmin.nsf is yet another example of IBM only fixing shit they see as a problem. This is ludicrous. Oh, to live in IBM's pink unicorn world where there are rainbows, mermaids and everyone uses IBM Connections. But the fact is (aside from IBM's Connections dream being a bit of a disaster) that webadmin.nsf is one of the most useful tools you have (provided it is secure of course).
Don't have access to your admin client? Need to register a new user? As long as you have the CA process enabled you can. Need to restart a task on the server? You can. Now there is a boat load of Java applets in there too which I despise more than US Senator Ted Cruz, but still it worked. After a fashion. Kind of. Almost.
But instead of not only fixing the XSS issues, or even more preferable, rewriting the application in Xpages (showing us the power of that technology), and maybe giving us mobile access too (You know, "Mobile First")? IBM give us deprecation.
While I am on about IBM and Java applets.....ah, bollocks, that's most likely a different post....but still, applets? Really? Very early '90's.
Anyway, IBM, show *some* leadership here, rewrite webadmin.nsf using Xpages and give us mobile access too. Turn this turd into a gold bar. Come on, you know you can.