Secunia Security Advisory - Leandro Meiners has reported a security issue in Lotus Domino, which can be exploited by malicious users to disclose certain sensitive information.
243c1fb55b43dacf0771d9357f36c4fbd9beb9384b47449964bcb8b27ef18c67
----------------------------------------------------------------------
Bist Du interessiert an einem neuen Job in IT-Sicherheit?
Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Lotus Domino Webmail Information Disclosure Security Issue
SECUNIA ADVISORY ID:
SA16231
VERIFY ADVISORY:
http://secunia.com/advisories/16231/
CRITICAL:
Less critical
IMPACT:
Exposure of sensitive information
WHERE:
>From remote
SOFTWARE:
IBM Lotus Domino 5.x
http://secunia.com/product/207/
IBM Lotus Domino 6.x
http://secunia.com/product/720/
DESCRIPTION:
Leandro Meiners has reported a security issue in Lotus Domino, which
can be exploited by malicious users to disclose certain sensitive
information.
The security issue is caused due to the Webmail component including a
user's password information in HTML hidden fields when the user's
entry is viewed in the public address book. This can be exploited to
obtain other users' password hashes, password change dates, and other
sensitive information by viewing the HTML source.
Users' password hashes are susceptible to pre-computed dictionary
attacks, if they are generated without salt.
The security issue has been reported in versions 5.0, 6.0, and 6.5.
SOLUTION:
Configure Domino to store users' passwords using salted hashes and
not to include users' password hashes in HTML hidden fields.
PROVIDED AND/OR DISCOVERED BY:
Leandro Meiners, Cybsec S.A.
ORIGINAL ADVISORY:
IBM:
http://www-1.ibm.com/support/docview.wss?uid=swg21212934
Cybsec S.A.:
http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------