HTTP Response Splitting vulnerability in Microsoft Outlook Web Access for Exchange 5.5

From: Amit Klein (amit.klein_at_sanctuminc.com)
Date: 08/11/04

  • Next message: Thomas Walpuski: "Re: Windows doesn't verify digital signature of CRL files" 
    Date: Wed, 11 Aug 2004 10:02:06 +0300
To: bugtraq@securityfocus.com

    ////////////////////////////////////////////////////////////////////
    //=====================>> Security Advisory <<====================//
    ////////////////////////////////////////////////////////////////////

    --------------------------------------------------------------------
    -----[ Microsoft Outlook Web Access (OWA) for Exchange 5.5
           is vulnerable to HTTP Response Splitting attack
    --------------------------------------------------------------------

    --[ Author: Amit Klein, Sanctum Inc. http://www.SanctumInc.com/

    --[ Release Date: August 11th, 2004

    --[ Product: Microsoft Outlook Web Access (OWA) for Exchange 5.5

    --[ Severity: High

    --[ Description
    Microsoft Outlook Web Access for Exchange 5.5 (henceforth, "OWA") is
    vulnerable to HTTP Response Splitting (see "Divide and Conquer: HTTP
    Response Splitting, Web Cache Poisoning Attacks, and Related
    Topics", http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf).
    OWA is vulnerable through several scripts/URLs (in a redirection
    scenario).

    This technique enables the attacker to poison a cache server (de-
    facto defacing the OWA site), to hijack responses (pages) from other
    users, to send crafted responses (pages) to other users, and to
    mount a cross site scripting attack on other users.
    A user account is needed in order to access the vulnerable scripts.
    The anonymous (public) account (available by default) can be used to
    that purpose.
    Note that if SSL is used between the client (browser) and the OWA
    site, then web cache poisoning is limited to any cache device that
    resides on-site, between the OWA server and the SSL termination
    point.

    --[ Solution
    Microsoft has issued a security bulletin (MS04-026, "Vulnerability
    in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site
    Scripting and Spoofing Attacks (842436)") at the following URL:

    http://www.microsoft.com/technet/security/Bulletin/MS04-026.mspx

    Information regarding the security update that addresses this
    problem is available in the bulletin.

  • Next message: Thomas Walpuski: "Re: Windows doesn't verify digital signature of CRL files"

    Relevant Pages

    • [NT] Vulnerabilities in Outlook Web Access for Exchange Server Allows Elevation of Privilege (MS08&#
      ... Get your security news from a reliable source. ... Vulnerabilities in Outlook Web Access for Exchange Server Allows Elevation ... Outlook Web Access (OWA) for Microsoft Exchange Server. ... Scripting Vulnerability - CVE-2008-2247 ...
      (Securiteam)
    • Re: Outlook Web Access loading... loading....
      ... Authentication used by OWA 2003. ... 325965 The URLScan tool may cause problems in Outlook Web Access ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • RE: Problem with OWA
      ... Please logon OWA internally, ... Outlook Web Access, Business Website and so on. ... Expand Administrative Groups, expand Servers, expand ServerName, expand ... Right-click the Exchange virtual directory, ...
      (microsoft.public.windows.server.sbs)
    • RE: OWA Link in Remote Web Workplace
      ... When you click the Use Outlook Web Access link in RWW, ... OWA within the RWW frame. ... On the Web Server Certificate page shows. ...
      (microsoft.public.windows.server.sbs)
    • Re: OWA using RWW - Display Problems
      ... Troubleshooting OWA when the contents frame displays "Loading" ... How to Make Outlook Web Access the Default Web Site ... please don't hesitate to post in our newsgroup. ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)