Alert: Microsoft Security Bulletin MS03-047 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 10/21/03

  • Next message: Randy Cardon: "Re: Issues with MS03-043" 
    Date:         Tue, 21 Oct 2003 17:28:31 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Bulletin URL:
    http://www.microsoft.com/technet/security/bulletin/MS03-047.asp

    Summary:
      Version Number: V1.0
      Revision Date: 10-15-2003
      Impact of Vulnerability: Remote Code Execution
      Maximum Severity Rating: Moderate
      Patch(es) Replaced: None
      Caveats: Customers who have customized any of the ASP pages in the
    File Information section in this document should backup those files
    before applying this patch as they will be overwritten when the patch is
    applied. Any customizations would then need to be reapplied to the new
    ASP pages.
      CVE Number(s): CAN-2003-071

    Tested Software:
      Affected Software:
      * Microsoft Exchange Server 5.5, Service Pack 4
    <http://www.ntbugtraq.com/link/C516FE75-95CE-4FFF-B83D-9B170FCD0C1C.asp>

      Software Not Affected:
      * Microsoft Exchange 2000 Server
      * Microsoft Exchange Server 2003

    Technical Description:
    A cross-site scripting (XSS) vulnerability results due to the way that
    Outlook Web Access (OWA) performs HTML encoding in the Compose New
    Message form. An attacker could seek to exploit this vulnerability by
    having a user run script on the attacker's behalf. The script would
    execute in the security context of the user. If the script executes in
    the security context of the user, the attacker's code could then execute
    by using the security settings of the OWA Web site (or of a Web site
    that is hosted on the same server as the OWA Web site) and could enable
    the attacker to access any data belonging to the site where the user has
    access. To exploit this vulnerability through OWA, an attacker would
    have to send an e-mail message that has a specially-formed link to the
    user. The user would then have to click the link. To exploit this
    vulnerability in another way, an attacker would have to know the name of
    the user's Exchange server and then entice the user to open a
    specially-formed link from another source while the user is logged on to
    OWA. Note: Customers who have customized any of the ASP pages in the
    File Information section in this document should backup those files
    before applying this patch as they will be overwritten when the patch is
    applied. Any customizations would then need to be reapplied to the new
    ASP pages. Please refer to the Microsoft Support Policy for the
    Customization of Outlook Web Access available at
    http://support.microsoft.com/default.aspx?scid=kb;en-us;327178
    This email is sent to NTBugtraq automatically as a service to my
    subscribers. (v2.0)

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: Randy Cardon: "Re: Issues with MS03-043"