lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <38904.81.223.96.242.1150268634.squirrel@www.sec-consult.com>
Date: Wed, 14 Jun 2006 09:03:54 +0200 (CEST)
From: "SEC Consult Research" <research@...-consult.com>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: SEC Consult SA-20060613-0 :: Outlook Web Access
 Cross Site Scripting Vulnerability


SEC-CONSULT Security Advisory < 20060613-0 >
=======================================================================
                  title: HTML Code Injection in Outlook Web Access
                program: Outlook Web Access
     vulnerable version: Exchange 2000 (SP3), 2003 (SP1), 2003 (SP2)
                 impact: severe
               homepage: http://www.microsoft.com/exchange/default.mspx
                  found: 2005-10-25
                     by: D. Fabian / SEC-CONSULT / www.sec-consult.com
                         T. Kerbl / SEC-CONSULT / www.sec-consult.com
=======================================================================

vendor description:
---------------

Microsoft Office Outlook Web Access is an integrated component of
Exchange Server 2000/2003. By using only a Web browser and an Internet
or intranet connection, Outlook Web Access enables users to read their
corporate e-mail messages, schedules, and other information that is
stored on a server running Exchange.

[Source: http://www.microsoft.com/exchange/evaluation/features/
owa2k3_55.mspx]


vulnerability overview:
---------------

Microsoft Outlook Web Access is vulnerable to an HTML code
injection/cross site scripting attack. A malicous user could craft a
mail containing HTML and Javascript code. Such code could be used to
steal session information from the victims cookies, and thus enable
the attacker to get access to the victim's emails.

In alternative Browsers like Mozilla Firefox or Opera the mere opening
of an crafted email is enough for Javascript code to execute. As soon
as the victim clicks on the malicious email, the Javascript code can
read session information and send this to the attacker, who can
then perform session highjacking and read the victims emails.

As Internet Explorer uses proprietary security mechanisms (mails
are displayed as pages in restricted security zone) it is not
possible to inject Javascript code directly into email bodies.
However our research showed, that using HTML attachments (which are
also subject to input sanitation in OWA), the Javascript Code can be
successfully executed. Furthermore HTML Code injection is still
possible directly in the email body. This can be used e.g. by
malicious attackers to include images which are displayed without
further user interaction and thus verify whether the user read the
email or not. Also links can be directly included, curcumventing
OWA's redirection feature.


vulnerability details:
---------------

To allow time to Microsoft Exchange administrators to patch their
systems, SEC Consult is going to withhold vulnerability and exploit
details for 2 weeks.


vulnerable versions:
---------------

The following versions of Microsoft Exchange Server are vulnerable
to the described security flaw:

- Microsoft Exchange 2000 Server Pack 3 with the August 2004
  Exchange 2000 Server Post-Service Pack 3 Update Rollup
- Microsoft Exchange Server 2003 Service Pack 1
- Microsoft Exchange Server 2003 Service Pack 2


vendor status:
---------------
vendor notified: 2005-10-27
vendor response: 2005-10-27
patch available: 2006-06-13


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2006
research at sec-consult dot com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ