[Am-info] Microsoft Outlook Web Access Cross-Site Scripting Vulnerability

[Fred A. Miller]

Microsoft Outlook Web Access Cross-Site Scripting Vulnerability

READ ONLINE:
http://www.secunia.com/advisories/9212/

CRITICAL:
Less critical

IMPACT:
Security Bypass, Cross Site Scripting, Exposure of sensitive
information

WHERE:
=46rom remote

SOFTWARE:
Microsoft Exchange 5.5
Microsoft Exchange 2000 Enterprise Server
Microsoft Exchange Server 2000

DESCRIPTION:
A vulnerability has been reported in Outlook Web Access (OWA), which
can be exploited by malicious people to conduct Cross-Site Scripting
attacks against users.

When a user wants to view a HTML formatted mail in OWA he/she needs
to click a generated link. However, it is possible to force a user
into clicking a specially crafted link where the "Security" parameter
has been omitted. This makes it possible to bypass the script
filtering routines allowing script code in the body of the mail to be
executed.

An example link was provided in the original advisory:
http://<IP_or_name_of_the_server>/exchange/<username>/<inbox_name>/<subject=
>.EML/1_multipart/2_text.htm

Successful exploitation may result in disclosure of sensitive
information (eg. content of cookies associated with the site,
mailboxes, and the Base64 encoded Windows domain user credentials).
However, this requires that certain information is known in advance.

A PoC (Proof of Concept) exploit has been released, which illustrates
an attack vector (see orginal advisory).

SOLUTION:
Set up a proxy or content filter to deny mails containing script code
or links like the one in the example.

REPORTED BY / CREDITS:
Hugo V=E1zquez Caram=E9s and Toni Cort=E9s Mart=EDnez.

ORIGINAL ADVISORY:
http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/OWA/OWA_XSS.=
htm

=2D-=20
Planet Earth - a subsidiary of Microsoft=AE.
We have no bugs in our software, Never!,=20
We do have undocumented added features,
that you will find amusing, at no added cost,=20
to you, at this time.