| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Sep 2018 19:35:09 +0300 From: alphan yavaş <ayavasa94@...il.com> To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Disclose SSRF Vulnerability I. VULNERABILITY ------------------------- Rollup 18 for Microsoft Exchange Server 2010 SP3 Server Side Request Forgery (SSRF) II. CVE REFERENCE ------------------------- CVE-2018-16793 III. VENDOR ------------------------- https://www.microsoft.com IV. TIMELINE ------------------------ 19/06/2018 Vulnerability discovered 22/06/2018 Vendor contacted 15/08/2018 Microsoft replay that Update rollup 18 is out of date. V. CREDIT ------------------------- Alphan Yavas VI. DESCRIPTION ------------------------- Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions are affected from SSRF vulnerability. A remote attacker could force the vulnerable server to send request to any remote server s/he wants. VII. PROOF OF CONCEPT ------------------------- Affected Component: Path(inurl): /owa/auth/logon.aspx Parameter: username Login page of OWA affected from SSRF vulnerability. If username is being sent with following format victim server will send out DNS queries to xxx domain. (xxx is the domain which you want to send request from server) username: ssrf.xxx.com\pentest password: (doesn't matter) If you want to listen this request you must listen with tcpdump to dns port your own server(xxx) and you can see callback request.
Powered by blists - more mailing lists