2 6 3 the enterprise mailbox and the personal mailbox pass to kill any user login-bug warning-the black bar safety net

2016-01-16T00:00:00
ID MYHACK58:62201671051
Type myhack58
Reporter 佚名
Modified 2016-01-16T00:00:00

Description

Vulnerability details disclosure status: 2016-01-14: details have been notified vendors and wait for manufacturers processing 2016-01-14: vendor has confirmed, the details only to the manufacturer public 2016-01-14: vendor has fixed the vulnerability and take the initiative to disclose details to the public 以 admin@net263.com that admin@263.com that security@263.net 为例 the. Detailed description: impact of mailbox suffix include: all corporate mailboxes, net263.com and 263.net and 263.com and 2 6 3. net. cn, x263.net 2 6 3 cloud communication personal center: http://uc.263.net/ma/web/jsp/usc/index.jsp

!

Into the mailbox, the capture of: code area http://uc.263.net/ma/web//usc/action/app/webMailUrl.do

!

According to my e-mail address, to generate a quick login link, use the link to log in. The normal case here should do a login validation, and only log in to your mailbox. Try to hold the attitude, pcode incoming: the admin@net263.com

!

url: code area https://mm.263.com/sadLogin.do?usr=admin@net263.com&sessionkey=admin@net263.comwm_656916399594561452757460fqhg45Odx2FnUj0p4ncxjY4XZHsADRgtHMZLR&bindid=0 0 0 0 0 0

Use this link, the link can only be used once, and miraculously the login success:

!

Vulnerability to prove: admin@263.com to:

!

security@263.net to:

!

Then find a few that use a 2 6 3 enterprise mailbox, domain name, directly to the“admin@enterprise domain name”:

1: The

!

2: The

!

Log on to the mailbox later, the address book, the cloud schedule, the synchronization disk can be directly to the single sign-on:

!

Sync the disk backend management:

!

The above mailbox only for login test, proof of harm, point to so far. Solution: a sensitive interface to do a good check.