Email security vendor Sendio has patched a pair of remotely exploitable security bypass vulnerabilities in its Sendio ESP, or Email Security Platform, product.
Researchers at Core Security Technologies reported the vulnerabilities March 26 to Sendio, along with a proof of concept that triggers the bug. Sendio version 6 (14.1120.0) is affected by this bug, and possibly others, and is patched in Sendio 7.2.4.
“Two information disclosure issues were found affecting some versions of this software, and can lead to leakage of sensitive information such as user’s session identifiers and/or user’s email messages,” Core Security said today in an advisory published on its website. The bugs were discovered by Core researcher Martin Gallo.
The first vulnerability discloses a session cookie via the Sendio web interface URL. According to Core Security’s advisory, the interface authenticates users with a cookie named jsessionid. The issue arises because Sendio ESP’s interface includes the cookie value in the URL when obtaining email content.
“This causes the application to disclose the session identifier value, allowing attackers to perform session hijacking,” the advisory said. “An attacker might perform this kind of attack by sending an email message containing links or embedded image HTML tags pointing to a controlled website, and then accessing victim’s session cookies through the ‘Referrer’ HTTP header. Accessing this authentication cookie might allow an attacker to hijack a victim’s session and obtain access to email messages or perform actions on behalf of the victim.”
The second bug is triggered via an improper handling of user sessions by the same Web interface, Core Security said.
“Under certain conditions, this could lead to the server disclosing sensitive information that was intended for a different user,” the advisory said. “This information includes, for instance, other users’ session identifiers, email message identifiers or email message subjects. In order to trigger this vulnerability, requests should be authenticated.”
The advisory also includes Gallo’s proof of concept code.
Such broken authentication and session management flaws are listed on the OWASP top 10 list of web application security vulnerabilities. These types of bugs are often used to hijack sessions and impersonate victims, stealing account information and communication exchanges between parties.