Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability
BID:18381
Info
Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability
| Bugtraq ID: | 18381 |
| Class: | Input Validation Error |
| CVE: |
CVE-2006-1193 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 13 2006 12:00AM |
| Updated: | Jun 28 2006 04:34PM |
| Credit: | Daniel Fabian discovered this issue. |
| Vulnerable: |
Microsoft Exchange Server 2003 SP2 Microsoft Exchange Server 2003 SP1 Microsoft Exchange Server 2000 SP3 |
| Not Vulnerable: | |
Discussion
Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability
Microsoft Exchange Server Outlook Web Access is prone to a script-injection vulnerability.
A remote attacker can exploit this issue by sending a malicious email message to a vulnerable user.
Microsoft Exchange Server Outlook Web Access is prone to a script-injection vulnerability.
A remote attacker can exploit this issue by sending a malicious email message to a vulnerable user.
Exploit / POC
Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability
Attackers can exploit this issue by sending a malicious email. Exploit code is not required.
A proof of concept that targets browsers other than Internet Explorer is available.
Attackers can exploit this issue by sending a malicious email. Exploit code is not required.
A proof of concept that targets browsers other than Internet Explorer is available.
Solution / Fix
Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability
Solution:
Microsoft has released an advisory including fixes to address this issue.
Microsoft Exchange Server 2003 SP1
Microsoft Exchange Server 2000 SP3
Microsoft Exchange Server 2003 SP2
Solution:
Microsoft has released an advisory including fixes to address this issue.
Microsoft Exchange Server 2003 SP1
-
Microsoft Security Update for Exchange Server 2003 SP1 (KB912442)
http://www.microsoft.com/downloads/details.aspx?familyid=0E192781-847F -41C1-B32A-84218DB60942&displaylang=en
Microsoft Exchange Server 2000 SP3
-
Microsoft Security Update for Exchange 2000 Server (KB912442)
http://www.microsoft.com/downloads/details.aspx?familyid=746CE64E-3186 -422B-A13B-004E7942189B&displaylang=en
Microsoft Exchange Server 2003 SP2
-
Microsoft Security Update for Exchange Server 2003 SP2 (KB912442)
http://www.microsoft.com/downloads/details.aspx?familyid=C777BC9F-52B7 -4F17-96C7-DAF3B9987D70&displaylang=en
References
Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability
References:
References:
- Microsoft Security Bulletin MS06-029 (Microsoft)
- Microsoft Technet Security (Microsoft)
- SEC-CONSULT Security Advisory < 20060613-0 v2> (SEC-CONSULT)
- SEC Consult SA-20060613-0 :: Outlook Web Access Cross Site Scripting Vulnerabili ("SEC Consult Research"
)