Title: Microsoft Outlook Web Access Login Form Remote URI Redirection Vulnerability
Severity: MODERATE
Description:
Microsoft Outlook Web Access is an application designed to integrate with Microsoft Exchange Server and to provide secure web-based access to email.
A remote URI-redirection vulnerability affects Microsoft Outlook Web Access. This issue occurs because the application fails to properly sanitize URI-supplied data.
The problem presents itself when an unsuspecting user follows a malicious link to the Microsoft Outlook Web Access login screen. Apparently, by providing a valid URI address in the 'url' parameter of the affected Microsoft Outlook Web Access login script, an attacker can redirect an unsuspecting user to any site when the login form is submitted. This may cause the unsuspecting user to implicitly trust the site that is loaded after the login form is submitted, facilitating phishing-style attacks.
Note that to leverage this issue, the attacker must entice an unsuspecting user to follow a malicious link to the Microsoft Outlook Web Access login form. A malicious address must be appended to the OWA URL. The attacker must also bypass an alert message displayed by the browser and must entice the user to enter authentication credentials in the malicious site.
Attackers may leverage this issue to carry out convincing phishing attacks against unsuspecting users by causing an arbitrary page to be loaded when the Microsoft Outlook Web Access login form is submitted.
Affected Products:
- Microsoft Exchange Server 2003
- Microsoft Exchange Server 2003 SP1
References:
- Donnie Werner: EXPL-A-2005-001 exploitlabs.com Advisory 030
- Microsoft: Exchange Server Home Page
- Morning Wood: [Full-disclosure] OWA login redirection - Mitigation
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
