lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48F8E28E.6090601@alighieri.org>
Date: Fri, 17 Oct 2008 21:07:58 +0200
From: Davide Del Vecchio <dante@...ghieri.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	secure@...rosoft.com
Cc: Martin Suess <martin.suess@...c.ch>
Subject: Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]

Hi,

I found and notified this vulnerability to Microsoft in date:

Tue, 10 Apr 2007 15:40:13 +0200

You read exactly, April 2007, 1 year and 6 months ago. :(

The Microsoft Security Response Center opened the case ID MSRC 7368br.

The bug has never been patched since 1 year and 6 months.
I asked time to time for updates but they always answered me that the 
bug had to be patched with the next Service Pack and they did not have 
any ETA.

This SP has still to be released.

They told me that if I released the vulnerability prior to the official 
patch, I could not be officially credited for that. I tought it was not 
a critical vuln, and so I waited. Too much (?).

I am a bit sorry for Microsoft, I think they lost an other chance since 
now I feel a bit tricked. I am not sure if the next time I will wait so 
much and I am not sure if I will suggest to anyone to wait for the 
patch. I just hope Microsoft will credit me in the official patch. :(

Below you can find the first mail I wrote to MS regarding the issue.

Best regards,

Davide Del Vecchio.


From: "Davide Del Vecchio" <dante@...ghieri.org>
To: secure@...rosoft.com

Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness
Date: Tue, 10 Apr 2007 15:40:13 +0200

Hello,

I found a weakness in Microsoft Outlook Web Access (OWA), which
potentially can be exploited by malicious people to conduct phishing
attacks.
The weakness is caused due to a design error in the way OWA uses an
unverified user supplied argument to redirect a user after successful
authentication.
This can e.g. be exploited by tricking a user into following a link from
a HTML document to the trusted login page with a malicious "url" parameter.
After successful authentication, the user will be redirected to the
untrusted (fake) site.

The affected product is:
Microsoft Outlook Web Access ( OWA )
Windows 2003

Examples:
https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com

this will take the user to http://www.example.com when the login box
is pressed.

https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe
prompts the user to download an executable or other file.

The attacker can then have a page to capture the user / password
and redirect back to the original login page or some other form of
phishing attack.

Note that this vulnerability is very similar to the one affecting
"owalogin.asp" described here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420

Best regards,

Davide Del Vecchio.

Martin Suess ha scritto:

...

> Timeline:
> ---------
> Vendor Status:      MSRC tracking case closed
> Vendor Notified:    March 31st 2008
> Vendor Response:    May 6th 2008
> Advisory Release:   October 15th 2008
> Patch available:    - (vulnerability not high priority)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ