|
|
|
|
| |
Credit:
The information has been provided by Context IS - Disclosure.
|
| |
Vulnerable Systems:
* Microsoft Outlook Web Access 2003 and 2007 (Exchange Server 2003 SP2, Exchange Server 2007, Exchange Server 2007 SP1)
Analysis:
An attacker can craft a malicious email which contains the attack strings to compromise an OWA client. The user would only need to view the email to be victim to the XSS attack. Furthermore, persistent XSS can be gained by changing certain values within OWA to a particular XSS attack string. This string (consisting of HTML/JavaScript) is subsequently injected into *any* page which uses this value, including "new email", "reply email" (for OWA 2003) and most pages (for OWA 2007). Logging out of the application and back in will not clear the attack. Furthermore, the attack can be propagated by using the control over the OWA client to email the attack link to all users in the victim's inbox/contacts.
At this point the attack would spread as a XSS worm (albeit one requiring the user to view the incoming email). This could potentially affect all users of the OWA application.
Vendor Response:
On 9th July 2008, Microsoft issued a security bulletin MS08-039 and an associated patch for Exchange Server 2003 and Exchange Server 2007 SP1
Patches are available from:
http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx
Context would recommend that these patches be installed as soon as practical to all Exchange Servers providing OWA functionality.
CVE Information:
CVE-2008-2247 and CVE-2008-2248
Disclosure Timeline:
10 January 2008 - Initial Discovery and vendor notification.
14th January 2008 - Vendor response requesting further details.
14th March 2008 - Vendor response requesting PoC. PoC provided.
9th July 2008 - Vendor advisory release.
10th July 2008 - Context Information Security Ltd advisory release.
|
|
|
|
|
