exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Sep 13, 2006
Authored by Dave Ferguson | Site fishnetsecurity.com

In Lotus Domino Web Access (DWA) version 7.0.1, the session token used to identify the user (called "LtpaToken") is not invalidated on the server upon user logout. The cookie is removed from the browser, but the token continues to be recognized by the server until a configurable expiration time is reached.

tags | advisory, web
SHA-256 | aed4fab020bf5946cea878da81dd157b62a3e142ecfbe895fa31a092c15a8709


Change Mirror Download

Title: Session Token Remains Valid After Logout in IBM Lotus Domino Web Access 7.0.1
Release Date: 09/12/2006
Affected Application: IBM Lotus Domino Web Access 7.0.1
(versions prior to 7.0.1 were not tested but may still be vulnerable).

Nominal Severity: Low
Severity If Successfully Exploited: High
Impact: Attacker impersonates legitimate user
Mitigating Factors: Requires discovery of a valid LtpaToken to exploit.

Discovery: Dave Ferguson, Security Consultant, FishNet Security
Initial Notification of Vendor: 08/28/2006
Permanent Advisory Location:


Vulnerability Overview:

In Lotus Domino Web Access (DWA) 7.0.1, the session token used to identify the user (called "LtpaToken") is not invalidated on the server upon user logout. The cookie is removed from the browser, but the token continues to be recognized by the server until a configurable expiration time is reached.

Attack Overview:

The most likely attack scenario is session hijacking or session stealing. Knowing a valid session token would allow a malicious person to access all functionality of the web application (except changing password, which requires knowledge of the current password). Lotus DWA is a personal information management application that includes e-mail, calendar, and task management. By hijacking (or stealing) a session, an attacker is able to impersonate a legitimate user, and can read the user's e-mail, send e-mail as the user, or change the user's preference settings.


Vulnerability Details:

When a Lotus DWA user logs in, a cookie called "LtpaToken" is set into the browser and is used throughout the session to uniquely identify the user. When a user logs out of DWA, the cookie is cleared from the browser, but this action has no effect on the server. The token eventually expires on the server after some configurable amount of time. A user who explicitly logs out of DWA may have a false sense of security. The LtpaToken cookie in his browser is deleted, but the token is still valid from the server's perspective and can be used by an attacker if he can discover it. Best practices in web application security would call for the LtpaToken to be invalidated/destroyed at logout time. Note that the vulnerability described here was observed with Session authentication under the Domino Web Engine tab set to "Multiple Servers (SSO)". The same behavior may occur with the "Single Server" configuration as well, but this was not tested.

The "LtpaToken" described here is a component in IBM's Lightweight Third-Party Authentication (LTPA) technology. The LTPA technology was designed to be a defacto standard across the IBM product family. LTPA is used in both IBM WebSphere and Lotus Domino products and allows for single sign-on across physical servers. For example, Domino can recognize and accept LTPA tokens created by WebSphere. For more information, please see the IBM redpaper at http://www.redbooks.ibm.com/redpieces/pdfs/redp4104.pdf


Keeping the LtpaToken confidential is critical to mitigating this issue. An attacker must be able to discover a valid LtpaToken before it expires. Because the LtpaToken is sent with each request, Lotus DWA should be deployed as a secure application. This means an SSL certificate should be installed on the server so that encrypted (https) communication between the browser and the server occurs.

Cross-site scripting (XSS) is a common application-level attack that can be used to steal cookies such as LtpaToken. Running the application under SSL does not hinder XSS attacks. Fortunately, Lotus Domino includes a module called Active Content Filter that is highly effective at removing potentially harmful scripts in e-mail messages. Active Content Filtering should be turned on.

Finally, the overall risk level can be lowered by enabling an idle session timeout in addition to the absolute expiration time. Ideally, from an application security perspective, the idle (inactivity) timeout would be much smaller than the absolute expiration. Be aware that the increased security from having small timeout values may negatively affect end-user satisfaction in the application.


IBM recommends running Lotus DWA run under SSL and using a token expiration time of 30 minutes.

Please see IBM technote #1245589:


You can reach the author of this advisory at: dave.ferguson[at]fishnetsecurity(dot)com
Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    32 Files
  • 6
    Jun 6th
    39 Files
  • 7
    Jun 7th
    22 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By