Attackers could obtain users' password hashes, change dates and other sensitive information by exploiting a security hole in IBM Lotus Domino. The problem, IBM said in an advisory, is that the Webmail component includes a user's password information in HTML hidden fields when the user's entry is viewed in the public address book. Attackers could access other users' password hashes, password change dates, and other sensitive information by viewing the HTML source code. This affects versions 5.0, 6.0, and 6.5. One solution is to reconfigure Domino so it will store users' passwords using salted hashes and not include users' password hashes in HTML hidden fields.
This story originally appeared on SearchSecurity.com