QwikSec

Security Database

CVE

CWE

Training

CVE-2005-2428

Published: Aug 3, 2005

Modified: Aug 7, 2024

PUBLISHED

Description

Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

20050726 CYBSEC - Security Advisory: Default Configuration Information

mailing-list

x_refsource_BUGTRAQ

vdb-entry

x_refsource_BID

exploit

x_refsource_EXPLOIT-DB

http://www-1.ibm.com/support/docview.wss?uid=swg21212934

x_refsource_CONFIRM

vdb-entry

x_refsource_SECTRACK

vdb-entry

x_refsource_OSVDB

http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf

x_refsource_MISC

http://www.securiteam.com/securitynews/5FP0E15GLQ.html

x_refsource_MISC

third-party-advisory

x_refsource_SECUNIA

lotus-domino-names-obtain-information(21556)

vdb-entry

x_refsource_XF

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.