BugTraq
Back to list
|
Post reply
IBM Lotus Notes multiple disclosures of password hashes
Aug 20 2005 01:54AM
Shalom Carmel (shalom venera com)
Summary
========
A vulnerability describing password hashes disclosure in Domino
webmail was published in July 2005.A further test revealed disclosed
password hashes in the Lotus Notes client and in Domino LDAP.
Details
=======
Lotus Notes client can be used to access the Notes Address Book (NAB).
The Notes password digest is revealed on the Administration
tab of an arbitrary person's entry.
The "PasswordDigest" and "HTTPPassword" fields are revealed in the NAB
entry's document properties.
Domino LDAP also reveals the values of "PasswordDigest" and "HTTPPassword" .
Vulnerable versions:
===================
All versions
Full details with examples can be found at
http://www.venera.com/downloads/Lotus_password_disclosures.pdf
Shalom Carmel
-------------------
www.venera.com - Exposing iSeries insecurity
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
========
A vulnerability describing password hashes disclosure in Domino
webmail was published in July 2005.A further test revealed disclosed
password hashes in the Lotus Notes client and in Domino LDAP.
Details
=======
Lotus Notes client can be used to access the Notes Address Book (NAB).
The Notes password digest is revealed on the Administration
tab of an arbitrary person's entry.
The "PasswordDigest" and "HTTPPassword" fields are revealed in the NAB
entry's document properties.
Domino LDAP also reveals the values of "PasswordDigest" and "HTTPPassword" .
Vulnerable versions:
===================
All versions
Full details with examples can be found at
http://www.venera.com/downloads/Lotus_password_disclosures.pdf
Shalom Carmel
-------------------
www.venera.com - Exposing iSeries insecurity
[ reply ]