Arbitrary Code Execution Vulnerability in Microsoft Exchange Server 5.5 Outlook Web Access

Reported October 15, 2003, by Microsoft.


  • Microsoft Exchange Server 5.5 Outlook Web Access (OWA)


·         A vulnerability in Microsoft Exchange Server 5.5 Outlook Web Access (OWA) can result in the execution of arbitrary code on the user’s system. This vulnerability stems from a cross-site scripting (XSS) vulnerability in the way OWA performs HTML encoding in the Compose New Message form. To exploit this vulnerability, an attacker can have a user run script on the attacker's behalf in the user's security context. The attacker's code would then use the security settings of the OWA Web site (or of a Web site hosted on the same server as the OWA Web site) and could let the attacker access any user-accessible data belonging to the site.


Microsoft has released security bulletin MS03-047, "Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)," which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch listed in the bulletin.


Discovered by Ory Segal of Sanctum Inc.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.