Arbitrary Code Execution Vulnerability in Microsoft Exchange Server 5.5 Outlook Web Access

Reported October 15, 2003, by Microsoft.

VERSIONS AFFECTED

  • Microsoft Exchange Server 5.5 Outlook Web Access (OWA)

DESCRIPTION

·         A vulnerability in Microsoft Exchange Server 5.5 Outlook Web Access (OWA) can result in the execution of arbitrary code on the user’s system. This vulnerability stems from a cross-site scripting (XSS) vulnerability in the way OWA performs HTML encoding in the Compose New Message form. To exploit this vulnerability, an attacker can have a user run script on the attacker's behalf in the user's security context. The attacker's code would then use the security settings of the OWA Web site (or of a Web site hosted on the same server as the OWA Web site) and could let the attacker access any user-accessible data belonging to the site.

VENDOR RESPONSE

Microsoft has released security bulletin MS03-047, "Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)," which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

CREDIT

Discovered by Ory Segal of Sanctum Inc.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish