Bugtraq mailing list archives
IBM Lotus Notes multiple disclosures of password hashes
From: "Shalom Carmel" <shalom () venera com>
Date: Sat, 20 Aug 2005 04:54:01 +0300
Summary ======== A vulnerability describing password hashes disclosure in Domino webmail was published in July 2005.A further test revealed disclosed password hashes in the Lotus Notes client and in Domino LDAP. Details ======= Lotus Notes client can be used to access the Notes Address Book (NAB). The Notes password digest is revealed on the Administration tab of an arbitrary person's entry. The "PasswordDigest" and "HTTPPassword" fields are revealed in the NAB entry's document properties. Domino LDAP also reveals the values of "PasswordDigest" and "HTTPPassword" . Vulnerable versions: =================== All versions Full details with examples can be found at http://www.venera.com/downloads/Lotus_password_disclosures.pdf Shalom Carmel ------------------- www.venera.com - Exposing iSeries insecurity
Current thread:
- IBM Lotus Notes multiple disclosures of password hashes Shalom Carmel (Aug 20)