CVE-2014-0999, CVE-2014-8391
CORE SECURITY issued an advisory about two information disclosure vulnerabilities they found in the Sendio ESP product.
Sendio ESP (E-mail Security Platform) is a network appliance which provides anti-spam and anti-virus solutions for enterprises.
Two information disclosure issues were found affecting some versions of this software, and can lead to leakage of sensitive information such as user’s session identifiers and/or user’s email messages.
Vulnerabilities details
CVE-2014-0999 – Disclosure of session cookie in Web interface URLs :
The Sendio ESP Web interface authenticates users with a session cookie named “jsessionid”.
The vulnerability is caused due the way the Sendio ESP Web interface handles this authentication cookie, as the “jsessionid” cookie value is included in URLs when obtaining the content of emails.
The URLs used by the application follow this format:
http://<ESP-web-interface-domain>:<ESP-web-interface-port>/sendio/ice/cmd/msg/body;jsessionid=<session-identifier-value>?id=<message-id>
This causes the application to disclose the session identifier value, allowing attackers to perform session hijacking.
An attacker might perform this kind of attack by sending an email message containing links or embedded image HTML tags pointing to a controlled web site, and then accessing the victim’s session cookies through the “Referrer” HTTP header.
Accessing this authentication cookie might allow an attacker to hijack a victim’s session and obtain access to email messages or perform actions on behalf of the victim.
CVE-2014-8391 – Response mixup in Web interface
The vulnerability is caused by an improper handling of users’ sessions by the Web interface.
Under certain conditions, this could lead to the server disclosing sensitive information that was intended for a different user.
This information includes, for instance, other users’ session identifiers, email message identifiers or email message subjects. In order to trigger this vulnerability, requests should be authenticated.