Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting Vulnerability
BID:30130
Info
Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting Vulnerability
| Bugtraq ID: | 30130 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-2247 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 08 2008 12:00AM |
| Updated: | May 31 2019 10:00PM |
| Credit: | Michael Jordan of Context Information Security |
| Vulnerable: |
Microsoft Exchange Server 2003 SP2 Avaya Messaging Application Server MM 3.1 Avaya Messaging Application Server MM 3.0 Avaya Messaging Application Server MM 2.0 Avaya Messaging Application Server MM 1.1 Avaya Messaging Application Server 0 |
| Not Vulnerable: |
Microsoft Exchange Server 2000 SP3 |
Discussion
Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting Vulnerability
Microsoft Outlook Web Access (OWA) for Exchange Server is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.
Microsoft Outlook Web Access (OWA) for Exchange Server is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.
Exploit / POC
Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting Vulnerability
An attacker can exploit this issue by enticing an unsuspecting user to open a malicious email.
An attacker can exploit this issue by enticing an unsuspecting user to open a malicious email.
Solution / Fix
Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting Vulnerability
Solution:
The vendor has released an advisory and updates to address this issue. Please see the referenced advisory for more information.
Microsoft Exchange Server 2003 SP2
Solution:
The vendor has released an advisory and updates to address this issue. Please see the referenced advisory for more information.
Microsoft Exchange Server 2003 SP2
-
Microsoft Security Update for Exchange Server 2003 SP2 (KB950159)
http://www.microsoft.com/downloads/details.aspx?familyid=E099C1D1-5AF6 -4D6C-B735-9599412B3131&displaylang=en
References
Microsoft Outlook Web Access for Exchange Server Email Field Cross-Site Scripting Vulnerability
References:
References:
- Exchange Server Home Page (Microsoft)
- MS08-039: Which users are vulnerable to the OWA XSS vulnerability? (Microsoft Security Vulnerability Research & Defense)
- Context IS Advisory - MS08-39 OWA XSS (Context IS - Disclosure
- ASA-2008-290 MS08-039 Vulnerabilities in Outlook Web Access for Exchange Server (Avaya)
- Context IS Advisory - MS08-39 OWA XSS (Context Information Security)
- Microsoft Security Bulletin MS08-039 (Microsoft )