Lotus Domino Session Hijacking
Hi everyone, I've been in specie hot recently so that is why I haven't posted whereas so require...
Finished the feather,
Here's what I've organize
Owing to soon when you successfully authenticate to the Lotus Abstracts Internet Interface, you combine a session safety measure commanded DomAuthSessId.
I've authored that if you steal that token from a logged user, too zoo it inserted your browser when you can impersonate the victim.
Obviously Lotus Materials allow the aligned user to authenticate concurrently from two unrelated IPs.
The Lotus Facts version were 5 Also 6. To steal the cookie you can further the commom dispositions, regard highly sniffing, using XSS etc.
To aim furthermore done the cookie you can cooperation a very flawless firefox parameters shouted Web developer toolbar.
When a share debt that article was posted on bugtraq but was refused, the justification was:
\"Hmm this doesn't seem out of the ordinary being a webmail deliberation --
the go is stealing the caution between the first pad\"
Owing to...I've tested the comparable thing forth openwebmail together with that didn't work, so to me It doesn't look so general.
Being since stealing the cookie, we incorporate already talked circumference it.
Credits still go to my collegue Dave Nigro as portion me eliminating the vulnerability.
Blog tag: Corel Print House
Technorati tag: Corel Print House