---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Lotus Domino Webmail Information Disclosure Security Issue SECUNIA ADVISORY ID: SA16231 VERIFY ADVISORY: http://secunia.com/advisories/16231/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From remote SOFTWARE: IBM Lotus Domino 5.x http://secunia.com/product/207/ IBM Lotus Domino 6.x http://secunia.com/product/720/ DESCRIPTION: Leandro Meiners has reported a security issue in Lotus Domino, which can be exploited by malicious users to disclose certain sensitive information. The security issue is caused due to the Webmail component including a user's password information in HTML hidden fields when the user's entry is viewed in the public address book. This can be exploited to obtain other users' password hashes, password change dates, and other sensitive information by viewing the HTML source. Users' password hashes are susceptible to pre-computed dictionary attacks, if they are generated without salt. The security issue has been reported in versions 5.0, 6.0, and 6.5. SOLUTION: Configure Domino to store users' passwords using salted hashes and not to include users' password hashes in HTML hidden fields. PROVIDED AND/OR DISCOVERED BY: Leandro Meiners, Cybsec S.A. ORIGINAL ADVISORY: IBM: http://www-1.ibm.com/support/docview.wss?uid=swg21212934 Cybsec S.A.: http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------