[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CSO10002] Attachment path traversal in Outlook Web Access
- To: <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [CSO10002] Attachment path traversal in Outlook Web Access
- From: "Ricardo Martins - Chief Security Officers" <ricardo.martins@xxxxxx>
- Date: Wed, 3 Feb 2010 12:10:47 -0000
This trick is mostly useful but can also be used for wrong purposes. Since it
is so simple, it’s probably already known for some people.
If someone sends you a file through OWA but the file is blocked by a policy,
this is what you can do:
1-Install firefox
2-Access your email and attachment with the following rule:
http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email
subject>.EML/<attachment filename>
E.g.:
http://webmail.example.com/Exchange/myusername/Inbox/virus.EML/virus.zip
The best way is to try in following order:
1- http://<hostname>/<OWA directory>/<mail box username>/Inbox – you see all
your emails
2- http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email
subject>.EML – you see only your email with the blocked files
3- http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email
subject>.EML/<attachment filename> – you download the file
The actual address could be different for a couple of reasons. Try to check the
attachment URL and use it like shown above.
This can also be exploited through a malicious email with a link inside
pointing to the malware directly.
Server environment: Exchange/ OWA 2003 6.5.76*
Client environment: firefox 3.0.15
Ricardo Martins
CISA, ISO 27001/20000 LA
Compliance & Consulting Manager
Tel: +351 210 111 616 Fax: +351 210 111 618 www.cso.pt info@xxxxxx
______________________________
Chief Security Officers, SA.
Edificio Infante D. Henrique
Rua João Chagas, 53 - 1º Esq.
1495-764 Dafundo
Portugal
empresa do grupo
Art of Knowledge
Pense no Ambiente antes de imprimir / Consider the Environment before
printing