Full Disclosure mailing list archives
Outlook web access 2007 CSRF
From: Rosario Valotta <valotta.rosario () gmail com>
Date: Thu, 8 Jul 2010 01:05:06 +0200
Hi, I've just posted on my blog ( http://sites.google.com/site/tentacoloviola/pwning-corporate-webmails) a detailed description about a CSRF vulnerability affecting OWA 2007 and earlier versions. The vulnerability allows, among other things, to set an automatic forward rule for all incoming e-mails of a victim. This issue has been notified to MSRC on September 2009; on November they fixed the bug in Exchange 2010 release while, for Exchange 2007 they released a patch some days ago (Service pack 3). On my blog there is also a video PoC that shows a practical example of a CSRF attack for a OWA user. Regards, Rosario Valotta
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Outlook web access 2007 CSRF Rosario Valotta (Jul 08)