Microsoft Outlook Web Access may be vulnerable to cross-site scripting attacks.
Microsoft Outlook Web Access (OWA) allows users to access their email accounts on a Microsoft Exchange server from another host through a web browser.
Microsoft Outlook Web Access for Exchange Server 5.5 contains a flaw in the HTML encoding routines used in the Compose New Message form that may allow an attacker to send a specially-crafted message to a user which then in turn runs a malicious script in the security context of the user reading the mail message.
A remote unauthenticated attacker may be able to execute arbitrary script code in the security context of the user reading the mail.
Apply An Update
Please see Microsoft Security Bulletin MS05-029 for more information, such as workarounds and patches.
Microsoft Security Bulletin MS05-029 recommends a number of workarounds, including:
Uninstall Outlook Web Access
Disable Outlook Web Access for each Exchange site
Read.asp file to not encode HTML mail with the appropriate HTML markup
Vendor| Status| Date Notified| Date Updated
Microsoft Corporation| | -| 14 Jun 2005
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to Microsoft for information on this issue, who in turn thank Gaël Delalleau working with iDEFENSE for reporting this vulnerability.
This document was written by Ken MacInnis.