[NT] Microsoft Outlook Web Access Cross-Site Scripting (Technical Details, MS05-029)
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 15 Jun 2005 16:06:10 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Microsoft Outlook Web Access Cross-Site Scripting (Technical Details,
<http://www.microsoft.com/exchange/owa/> Microsoft Outlook Web Access is
"an optional component included in Microsoft Exchange that allows users to
access their mailboxes using a web frontend".
The Outlook Web Access module of Microsoft Exchange has been found to be
vulnerable to a cross site scripting.
* Exchange Server version 5.5
Remote exploitation of a Cross-Site Scripting vulnerability in the Outlook
Web Access (OWA) component within version 5.5 of Microsoft's Exchange
Server allows an attacker to force to inject arbitrary script code into a
users session, possibly stealing logon credentials.
To demonstrate the vulnerability, simply embed the following encoded text
into an HTML e-mail:
< IMG SRC="javAsc
This will have the affect of popping up an alert window when the targeted
user views the mail using Outlook Web Access. This proof of concept could
easily be altered to cause the script to return authentication credentials
to an attacker controlled server.
Successful exploitation of this vulnerability would allow an attacker to
inject arbitrary script code into the Web Access session. This could allow
for the theft of authentication information, which could lead to a
compromised mail account. In order for exploitation to occur, the targeted
user would only have to view an e-mail from an attacker. As it is trivial
to spoof the source of e-mail, this vulnerability has a high potential for
The vendor security advisory and appropriate patches are available at:
* 04.08.05 - Initial vendor notification
* 04.08.05 - Initial vendor response
* 06.14.05 - Coordinated public disclosure
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.