Alert: Microsoft Security Bulletin MS04-026 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436)
From: Russ Cooper (Russ.Cooper_at_TRUSECURE.CA)
Date: 08/10/04
- Previous message: Johnathan Samples: "Re: Microsoft to deploy Windows XP SP2 through Automatic Updates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Aug 2004 13:39:46 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Microsoft Security Bulletin MS04-026:
Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436)
Bulletin URL:
<http://www.microsoft.com/technet/security/bulletin/MS04-026.mspx>
Version Number: 1.0
Issued Date: Tuesday, August 10, 2004
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Moderate
Patch(es) Replaced: This update replaces the security update that is provided in Microsoft Security Bulletin MS03-047.
Caveats: Customers who have customized any of the Active Server Pages (ASP) pages that are listed in the File Information section in this document should back up those files before they apply this update because those ASPs will be overwritten when the update is applied. Any customizations would then have to be reapplied to the new ASP pages. Version Requirements for Dependent Components for This Update: To install successfully, this update requires that the Microsoft Outlook Web Access server have either: Internet Explorer 5.01 Service Pack 3 (SP3) installed when using Windows 2000 SP3; Internet Explorer 5.01 SP4 installed when using Windows 2000 SP4; or Internet Explorer 6 SP1installed when using other supported operating systems. Version Recommendations for Dependent Components on the Outlook Web Access Server: At the time of this writing, the following versions are recommended for dependent components on the Outlook Web Access server:
* Microsoft Internet Information Services (IIS):
* IIS 4.0 on Windows NT 4.0 SP6
* IIS 5.0 on Windows 2000 SP3 or later
* Microsoft Internet Explorer:
* Internet Explorer 6.0
Tested Software:
Affected Software:
------------------
* Microsoft Exchange Server 5.5 SP4
Affected Components:
--------------------
* Outlook Web Access
<http://tinyurl.com/4e4qo>
Technical Description:
----------------------
* Cross-site and Spoofing Vulnerability - CAN-2004-0203: This is a cross-site scripting and spoofing vulnerability. The cross-site scripting vulnerability could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. Attempts to exploit this vulnerability require user interaction. This vulnerability could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user. It may also be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.
This email is sent to NTBugtraq automagically as a service to my subscribers. (v4.01.1664.40858)
Cheers,
Russ - Senior Scientist - TruSecure Corporation/NTBugtraq Editor
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Johnathan Samples: "Re: Microsoft to deploy Windows XP SP2 through Automatic Updates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
