Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Outlook Web Access Input Validation Hole in Redirection Query Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1010916
|
|
SecurityTracker URL: http://securitytracker.com/id?1010916
|
|
CVE Reference: CAN-2004-0203
(Links to External Site)
|
Date: Aug 10 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5.5 SP4
|
Description: An input validation vulnerability was reported in Microsoft Outlook Web Access. A remote user can conduct cross-site scripting attacks.
Microsoft reported that Outlook Web Access does not properly validate user-supplied input provided to an HTML redirection query before
the input is displayed.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary
scripting code to be executed by the target user's browser. The code will originate from the site running the Outlook Web Access
software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies
(including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web
form to the site, or take actions on the site acting as the target user.
Microsoft reported that this flaw can be exploited to
manipulate the target user's Web browser cache and intermediate proxy server caches and place spoofed content in those caches.
Microsoft
Exchange Server 5.5 SP4 is vulnerable.
Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 are not affected, the
report said.
Microsoft credits Amit Klein of Sanctum Inc. with reporting this flaw.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Outlook Web Access software, access data recently submitted by the target user via web form to the site, or take actions on the
site acting as the target user.
|
Solution: Microsoft has issued an update for Outlook Web Access, available at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=66E4E033-5A4C-4EEC-84F1-31F0CA878092&displ
aylang=en
The update requires: Internet Explorer 5.01 Service Pack 3 (SP3) installed when using Windows 2000 SP3; Internet Explorer
5.01 SP4 installed when using Windows 2000 SP4; or Internet Explorer 6 SP1 installed when using other supported operating systems.
Microsoft
indicates that the update does not require a restart, but the update will restart Microsoft Internet Information Services (IIS),
the Exchange Store, and the Exchange System Attendant Services.
This update replaces the security update MS03-047.
Customers
that have customized certain ASP pages should check the advisory for some importan caveats:
http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms04-026.mspx (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Aug 10, 2004
Subject: MS04-026
|
http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx
Microsoft Security Bulletin MS04-026
Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing
Attacks (842436)
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Moderate
Microsoft Exchange Server 5.5 SP4 is vulnerable.
Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 are not affected, the report said.
An input validation vulnerability was reported in Microsoft Outlook Web Access. A remote user can co
nduct cross-site scripting attacks.
Microsoft reported that Outlook Web Access does not properly validate user-supplied input provided to
an HTML redirection query before the input is displayed.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbit
rary scripting code to be executed by the target user's browser.
The code will originate from the site running the Outlook Web Access software and will run in the sec
urity context of that site.
As a result, the code will be able to access the target user's cookies (including authentication cook
ies), if any,
associated with the site, access data recently submitted by the target user via web form to the site,
or take actions on the site acting as the target user.
Microsoft reported that this flaw can be exploited to manipulate the target user's Web browser cache
and intermediate proxy server caches and place spoofed content in those caches.
Microsoft credits Amit Klein of Sanctum Inc. with reporting the Cross-site Scripting and Spoofing Vul
nerability [CVE: CAN-2004-0203].
Microsoft has issued an update for Outlook Web Access, available at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=66E4E033-5A4C-4EEC-84F1-31F0CA878092&dis
playlang=en
The update requires: Internet Explorer 5.01 Service Pack 3 (SP3) installed when using Windows 2000 S
P3; Internet Explorer 5.01 SP4 installed when using Windows 2000 SP4; or Internet Explorer 6 SP1insta
lled when using other supported operating systems.
Microsoft indicates that the update does not require a restart, but the update will restart Microsoft
Internet Information Services (IIS), the Exchange Store, and the Exchange System Attendant Services.
This update replaces the security update MS03-047.
Customers that have customized certain ASP pages should check the advisory for some importan caveats.
|
|
Go to the Top of This SecurityTracker Archive Page
|
