[NT] Microsoft Outlook Web Access XSS (MS08-039)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 17 Jul 2008 21:08:03 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Outlook Web Access XSS (MS08-039)
------------------------------------------------------------------------
SUMMARY
Several Cross Site Scripting vulnerabilities were found in within Outlook
Web Access (OWA) 2003/2007. An attacker can craft a malicious email which
will trigger within a user's browser. Different version of OWA and
different clients (Light and Premium) have different attack vectors which
can result in an attacker gaining *persistent* control over a victim's use
of Outlook Web Access. An attacker would have full control and access to
the victims e-mail account. This control could be further abused by
utilising techniques such as JavaScript root-kits or web worms.
DETAILS
Vulnerable Systems:
* Microsoft Outlook Web Access 2003 and 2007 (Exchange Server 2003 SP2,
Exchange Server 2007, Exchange Server 2007 SP1)
Analysis:
An attacker can craft a malicious email which contains the attack strings
to compromise an OWA client. The user would only need to view the email
to be victim to the XSS attack. Furthermore, persistent XSS can be gained
by changing certain values within OWA to a particular XSS attack string.
This string (consisting of HTML/JavaScript) is subsequently injected into
*any* page which uses this value, including "new email", "reply email"
(for OWA 2003) and most pages (for OWA 2007). Logging out of the
application and back in will not clear the attack. Furthermore, the
attack can be propagated by using the control over the OWA client to email
the attack link to all users in the victim's inbox/contacts.
At this point the attack would spread as a XSS worm (albeit one requiring
the user to view the incoming email). This could potentially affect all
users of the OWA application.
Vendor Response:
On 9th July 2008, Microsoft issued a security bulletin MS08-039 and an
associated patch for Exchange Server 2003 and Exchange Server 2007 SP1
Patches are available from:
<http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx>
http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx
Context would recommend that these patches be installed as soon as
practical to all Exchange Servers providing OWA functionality.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2247>
CVE-2008-2247 and
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2248>
CVE-2008-2248
Disclosure Timeline:
10 January 2008 - Initial Discovery and vendor notification.
14th January 2008 - Vendor response requesting further details.
14th March 2008 - Vendor response requesting PoC. PoC provided.
9th July 2008 - Vendor advisory release.
10th July 2008 - Context Information Security Ltd advisory release.
ADDITIONAL INFORMATION
The information has been provided by <mailto:disclosure@xxxxxxxxxxxxxxx>
Context IS - Disclosure.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Novell eDirectory dhost Integer Overflow Code Execution Vulnerability
- Next by Date: [EXPL] Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
- Previous by thread: [NEWS] Novell eDirectory dhost Integer Overflow Code Execution Vulnerability
- Next by thread: [EXPL] Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
- Index(es):
Relevant Pages
|
