nuclei-templates/http/cves/2005/CVE-2005-2428.yaml

id: CVE-2005-2428

info:
  name: Lotus Domino R5 and R6 WebMail - Information Disclosure
  author: CasperGN
  severity: medium
  description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).
  reference:
    - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
    - https://www.exploit-db.com/exploits/39495
    - https://nvd.nist.gov/vuln/detail/CVE-2005-2428
    - http://marc.info/?l=bugtraq&m=112240869130356&w=2
    - http://securitytracker.com/id?1014584
  remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
    cvss-score: 5
    cve-id: CVE-2005-2428
    cwe-id: CWE-200
    epss-score: 0.01188
    cpe: cpe:2.3:a:ibm:lotus_domino:5.0:*:*:*:*:*:*:*
    epss-percentile: 0.83354
  metadata:
    max-request: 1
    vendor: ibm
    product: lotus_domino
  tags: domino,edb,cve,cve2005

http:
  - method: GET
    path:
      - "{{BaseURL}}/names.nsf/People?OpenView"

    matchers-condition: and
    matchers:
      - type: regex
        name: domino-username
        part: body
        regex:
          - '(<a href="/names\.nsf/[0-9a-z\/]+\?OpenDocument)'

      - type: status
        status:
          - 200
cve id updates 2021-01-02 05:02:50 +00:00			`id: CVE-2005-2428`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00
Inclusion of stage- 1 detection of the old hashdump vuln. Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:11:50 +00:00			`info:`
Dashboard Content Enhancements (#4338) Dashboard Content Enhancements 2022-05-09 16:12:52 +00:00			`name: Lotus Domino R5 and R6 WebMail - Information Disclosure`
Inclusion of stage- 1 detection of the old hashdump vuln. Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:11:50 +00:00			`author: CasperGN`
			`severity: medium`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Description and reference 2021-04-22 08:59:05 +00:00			`- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf`
			`- https://www.exploit-db.com/exploits/39495`
Dashboard Content Enhancements (#4338) Dashboard Content Enhancements 2022-05-09 16:12:52 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2005-2428`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- http://marc.info/?l=bugtraq&m=112240869130356&w=2`
			`- http://securitytracker.com/id?1014584`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.`
Enhancement: cves/2005/CVE-2005-2428.yaml by cs 2022-02-02 18:08:10 +00:00			`classification:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N`
			`cvss-score: 5`
Enhancement: cves/2005/CVE-2005-2428.yaml by cs 2022-02-02 18:08:10 +00:00			`cve-id: CVE-2005-2428`
			`cwe-id: CWE-200`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`epss-score: 0.01188`
			`cpe: cpe:2.3:a:ibm:lotus_domino:5.0:::::::*`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-percentile: 0.83354`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: ibm`
			`product: lotus_domino`
			`tags: domino,edb,cve,cve2005`
Inclusion of stage- 1 detection of the old hashdump vuln. Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:11:50 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Inclusion of stage- 1 detection of the old hashdump vuln. Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:11:50 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/names.nsf/People?OpenView"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
:hammer: Add matchers condition 2020-09-09 18:44:26 +00:00			`matchers-condition: and`
And the last file Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 08:38:32 +00:00			`matchers:`
Based on metasploit regex Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 17:08:23 +00:00			`- type: regex`
			`name: domino-username`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: body`
Based on metasploit regex Signed-off-by: Casper Guldbech Nielsen <whopsec@protonmail.com> 2020-09-09 17:08:23 +00:00			`regex:`
Fix regular expression after bot change 2022-02-04 20:22:52 +00:00			`- '(<a href="/names\.nsf/[0-9a-z\/]+\?OpenDocument)'`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
			`- type: status`
			`status:`
			`- 200`