Title: Microsoft OWA Server Embedded Script Execution Vulnerability
Severity: HIGH
Description:
Outlook Web Access (OWA) is a component of Exchange Server that allows for users to access their mail using a web browser.
OWA contains a vulnerability that may result in attacker-supplied script code executing within the context of the mail interface.
Because OWA is web-based and supports HTML e-mail, extra care must be taken to ensure that malicious script code possibly embedded in the message does not execute and interact with the OWA environment. OWA attempts to detect and filter any script code which may be in the message. In Exchange Server 5.5, OWA fails to detect specially obfuscated script code. Unfiltered, the script code will execute if embedded in an HTML email opened by a user.
This vulnerability is due to a failure in the process of detecting and filtering script code.
The script code that executes may perform OWA actions as the user, such as sending or deleting email. The script interacts with the web interface, and does not affect the underlying client/server hosts.
This attack requires that the attacker knows the version of OWA used by the victim.
Affected Products:
- Microsoft Exchange Server 5.5.0
- Microsoft Exchange Server 5.5.0SP1
- Microsoft Exchange Server 5.5.0SP2
- Microsoft Exchange Server 5.5.0SP3
- Microsoft Exchange Server 5.5.0SP4
References:
- Microsoft: Microsoft Security Bulletin (MS01-057)
- Microsoft: Microsoft Technet Security
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
