CERT-In Vulnerability Note CIVN-2008-102
Microsoft Outlook Web Access for Exchange Server XSS Vulnerabilities
Original Issue Date:
June 10, 2008
Severity Rating:
Medium
System Affected
- Microsoft Exchange Server 2003 SP 2
- Microsoft Exchange Server 2007
- Microsoft Exchange Server 2007 SP 1
Overview
Two cross-site scripting vulnerabilities have been reported in Microsoft Outlook Web Access component of Exchange server, which could be exploited by remote attackers to cause script injection attack.
Description
Outlook Web Access (OWA) is a component of Exchange server which provides mailing functions to authorized users over the internet.
Cross-site scripting (XSS) is a security vulnerability that could enable an attacker to inject code into a user's session with a Web site.
1. Unspecified e-mail field cross-site scripting vulnerability
(CVE-2008-2247)
This vulnerability is due to insufficient input validation for e-mail fields by Outlook Web Access when opening mail from within an individual client's OWA session. An attacker could exploit this vulnerability to perform cross-site scripting attack by convincing a user to open specially-crafted e-mail.
Successful exploitation of this vulnerability could allow an attacker to gain access to an individual client's OWA session data allowing elevation of privilege.
2. E-mail message HTML parsing vulnerability (CVE-2008-2248)
This vulnerability is due to the error in parsing HTML when rendering e-mail from within an individual OWA client session. This vulnerability could be exploited by an attacker by convincing a user to open specially crafted e-mail message to launch cross site scripting attack.
Successful exploitation of this vulnerability could allow an attacker to gain access to an individual client's OWA session data and effect an elevation of privilege.
Note: OWA Premium is not impacted by these vulnerabilities
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-039
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx
References
SecurityTracker
http://securitytracker.com/alerts/2008/Jul/1020439.html
Secunia
http://secunia.com/advisories/30964/
SecurityFocus
http://www.securityfocus.com/bid/30130/
FrSIRT
http://www.frsirt.com/english/advisories/2008/2021
X-Force-ISS
http://xforce.iss.net/xforce/xfdb/43329
CVE Name
CVE-2008-2247
CVE-2008-2248
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
