nuclei-templates/cves/2005/CVE-2005-2428.yaml

id: CVE-2005-2428
info:
  name: Lotus Domino R5 and R6 WebMail Default Configuration Information Disclosure
  author: CasperGN
  severity: medium
  tags: cve,cve2005,domino
  description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).
  remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.
  reference:
    - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
    - https://www.exploit-db.com/exploits/39495
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2005-2428
    cwe-id: CWE-200

requests:
  - method: GET
    path:
      - "{{BaseURL}}/names.nsf/People?OpenView"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: regex
        name: domino-username
        regex:
          - '(<a href"/namesnsf/[0-9a-z/]+OpenDocument)'
        part: body

# Enhanced by mp on 2022/02/02
cve id updates 2021-01-02 05:02:50 +00:00			`id: CVE-2005-2428`
Inclusion of stage- 1 detection of the old hashdump vuln. Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:11:50 +00:00			`info:`
Enhancement: cves/2005/CVE-2005-2428.yaml by cs 2022-02-02 18:08:10 +00:00			`name: Lotus Domino R5 and R6 WebMail Default Configuration Information Disclosure`
Inclusion of stage- 1 detection of the old hashdump vuln. Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:11:50 +00:00			`author: CasperGN`
			`severity: medium`
Enhancement: cves/2005/CVE-2005-2428.yaml by cs 2022-02-02 18:08:10 +00:00			`tags: cve,cve2005,domino`
			`description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).`
Enhancement: cves/2005/CVE-2005-2428.yaml by mp 2022-02-02 18:15:44 +00:00			`remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Description and reference 2021-04-22 08:59:05 +00:00			`- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf`
			`- https://www.exploit-db.com/exploits/39495`
Enhancement: cves/2005/CVE-2005-2428.yaml by cs 2022-02-02 18:08:10 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
			`cvss-score: 5.3`
			`cve-id: CVE-2005-2428`
			`cwe-id: CWE-200`
Inclusion of stage- 1 detection of the old hashdump vuln. Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:11:50 +00:00
			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/names.nsf/People?OpenView"`
:hammer: Add matchers condition 2020-09-09 18:44:26 +00:00			`matchers-condition: and`
And the last file Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:38:32 +00:00			`matchers:`
Inclusion of stage- 1 detection of the old hashdump vuln. Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:11:50 +00:00			`- type: status`
			`status:`
Adding word matcher which mimics public PoC exploits Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 14:53:16 +00:00			`- 200`
Based on metasploit regex Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 17:08:23 +00:00			`- type: regex`
			`name: domino-username`
			`regex:`
Enhancement: cves/2005/CVE-2005-2428.yaml by cs 2022-02-02 18:08:10 +00:00			`- '(<a href"/namesnsf/[0-9a-z/]+OpenDocument)'`
Based on metasploit regex Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 17:08:23 +00:00			`part: body`
Enhancement: cves/2005/CVE-2005-2428.yaml by cs 2022-02-02 18:08:10 +00:00
Enhancement: cves/2005/CVE-2005-2428.yaml by mp 2022-02-02 18:15:44 +00:00			`# Enhanced by mp on 2022/02/02`