Microsoft Exchange Outlook Web Access HTTP Response Splitting Vulnerability

2004-08-10T00:00:00
ID SMNTC-10902
Type symantec
Reporter Symantec Security Response
Modified 2004-08-10T00:00:00

Description

Description

Microsoft Exchange Outlook Web Access (OWA) is prone to HTTP response splitting attacks. This issue could permit hostile script to be injected into client sessions, which could gain access to properties of the OWA server and Web pages hosted on the site. It is noted that the attacker must authenticate to OWA to be in a position to exploit this issue. If successfully exploited, this could allow for various attacks, such as session hijacking, and content spoofing. This issue could also be used to exploit latent vulnerabilities in Web client software.

Technologies Affected

  • Microsoft Exchange Server 5.5 SP4

Recommendations

Block external access at the network boundary, unless external parties require service.
Use network access controls to explicitly restrict external access by untrusted networks and hosts. Permit access for trusted networks and hosts only.

Disallow anonymous access to services. Permit access for trusted individuals only.
Only permit anonymous access to the service if it is an explicit requirement. This will reduce exposure to exploitation of this and other latent vulnerabilities.

Run all software as a nonprivileged user with minimal access rights.
As a general security precaution against Web browser attacks, users should perform non-administrative tasks as an unprivileged user with minimal access rights.

Set web browser security to disable the execution of script code or active content.
Disabling support for client-side scripting and Active Content may limit exposure to consequences of this and other latent vulnerabilities.

Communicate sensitive information over encrypted channels.
Access to Outlook Web Access should occur over SSL-protected communication channels. This may limit the consequences of this issue.

Disable any services that are not needed.
If the Outlook Web Access service is not explicitly required, it should be disabled or removed on all Exchange servers where it is present.

Microsoft has released a Security Bulletin that includes fixes to address this issue.