Friday, August 10, 2007

Lotus Domino Session Hijacking

Hi everyone, I've been very busy lately so this is why I haven't posted for so long... By the way, I might have discovered a new vulnerability in Lotus Domino Web Access. Here's what I've found As soon as you successfully authenticate to the Lotus Notes Web Interface, you receive a session token called DomAuthSessId. I've discovered that if you steal this token from a logged user, and set it in your browser then you can impersonate the victim. Obviously Lotus Notes allow the same user to authenticate concurrently from two different IPs. The Lotus Notes version were 5 and 6. To steal the cookie you can use the commom methods, like sniffing, using XSS etc. To view and set the cookie you can use a very nice firefox extension called web developer toolbar. As a side note this article was posted on bugtraq but was refused, the answer was: "Hmm this doesn't seem out of the ordinary for a webmail application -- the trick is stealing the token in the first place" Now...I've tested the same thing on openwebmail and that didn't work, so to me It doesn't look so normal. As for stealing the cookie, we have already talked about it. Credits also go to my collegue Dave Nigro for helping me testing the vulnerability.