|
|
|
 |
Vulnerability Note VU#300373Microsoft Outlook Web Access vulnerable to cross-site scriptingOverviewMicrosoft Outlook Web Access may be vulnerable to cross-site scripting attacks.I. DescriptionMicrosoft Outlook Web Access (OWA) allows users to access their email accounts on a Microsoft Exchange server from another host through a web browser.Microsoft Outlook Web Access for Exchange Server 5.5 contains a flaw in the HTML encoding routines used in the Compose New Message form that may allow an attacker to send a specially-crafted message to a user which then in turn runs a malicious script in the security context of the user reading the mail message.
Utilize Workarounds Microsoft Security Bulletin MS05-029 recommends a number of workarounds, including: Uninstall Outlook Web Access Disable Outlook Web Access for each Exchange site Modify the Read.asp file to not encode HTML mail with the appropriate HTML markup Systems Affected
Referenceshttp://www.microsoft.com/technet/security/bulletin/MS05-029.mspx http://www.microsoft.com/exchange/en/55/help/default.asp?url=/exchange/en/55/help/documents/server/xog18001.htm?id=685 CreditThanks to Microsoft for information on this issue, who in turn thank Gaël Delalleau working with iDEFENSE for reporting this vulnerability. This document was written by Ken MacInnis.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
Get Adobe Reader