[NT] Outlook Web Access XSS (MS06-029)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 15 Jun 2006 12:06:25 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Outlook Web Access XSS (MS06-029)
------------------------------------------------------------------------
SUMMARY
" <http://www.microsoft.com/exchange/evaluation/features/owa2k3_55.mspx>
Microsoft Office Outlook Web Access is an integrated component of Exchange
Server 2003."
Improper handling of user email allow attackers to exploit an XSS in
Microsoft Outlook Web Access.
DETAILS
Vulnerable Systems:
* Microsoft Exchange 2000 Server Pack 3 with the August 2004
* Exchange 2000 Server Post-Service Pack 3 Update Rollup
* Microsoft Exchange Server 2003 Service Pack 1
* Microsoft Exchange Server 2003 Service Pack 2
Microsoft Outlook Web Access is vulnerable to a cross site scripting
attack.
A malicious user could craft a mail containing HTML and Javascript code.
Such code could be used to steal session information from the victims
cookies, and thus enable the attacker to get access to the victim's
emails.
In alternative Browsers like Mozilla Firefox or Opera the mere opening of
an crafted email is enough for Javascript code to execute. As soon as the
victim clicks on the malicious email, the Javascript code can read session
information and send this to the attacker, who can then perform session
hijacking and read the victims emails.
As Internet Explorer uses proprietary security mechanisms (mails are
displayed as pages in restricted security zone) it is not possible to
inject Javascript code directly into email bodies.
However our research showed, that using HTML attachments (which are also
subject to input sanitation in OWA), the Javascript Code can be
successfully executed. Furthermore HTML Code injection is still possible
directly in the email body. This can be used e.g. by malicious attackers
to include images which are displayed without further user interaction and
thus verify whether the user read the email or not. Also links can be
directly included, circumventing OWA's redirection feature.
Vendor Status:
The vendor has issued a fix:
<http://www.microsoft.com/technet/security/Bulletin/MS06-029.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-029.mspx
Disclosure Timeline:
vendor notified: 2005-10-27
vendor response: 2005-10-27
patch available: 2006-06-13
ADDITIONAL INFORMATION
The information has been provided by <mailto:research@xxxxxxxxxxxxxxx>
SEC Research.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-029.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-029.mspx
The advisory can be found at:
<http://www.securiteam.com/windowsntfocus/5SP0G15IUC.html>
http://www.securiteam.com/windowsntfocus/5SP0G15IUC.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
- Next by Date: [NT] Microsoft Internet Explorer UTF-8 Decoding Heap Overflow Vulnerability
- Previous by thread: [NT] Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
- Next by thread: [NT] Microsoft Internet Explorer UTF-8 Decoding Heap Overflow Vulnerability
- Index(es):
Relevant Pages
|
