Vulnerability Note VU#829876
Microsoft Outlook Web Access not may use correct HTTP directive
Some versions of Outlook Web Access (OWA) may use the no-cache instead of the no-store HTTP 1.1 directive. This results in web browsers caching sensitive information.
Some versions of Outlook Web Access may use the Cache-Control: no-cache HTTP 1.1 directive.
From RFC 2616:
If the no-cache directive does specify one or more field-names, then a cache MAY use the response to satisfy a subsequent request, subject to any other restrictions on caching. However, the specified field-name(s) MUST NOT be sent in the response to a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent the re-use of certain header fields in a response, while still allowing caching of the rest of the response.
Sensitive information that is viewed during an Outlook Web Access session may be stored to disk.
We are unware of a solution for this problem.
Clear browser caches
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||06 Mar 2008||31 Mar 2008|
CVSS Metrics (Learn More)
Thanks to Bill Knox from MITRE reporting this vulnerability.
This document was written by Ryan Giobbi.
- CVE IDs: Unknown
- Date Public: 09 May 2008
- Date First Published: 09 May 2008
- Date Last Updated: 28 Dec 2009
- Severity Metric: 0.11
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.