Full Disclosure mailing list archives
re: Microsoft Outlook Web Access URL Injection
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Mon, 7 Feb 2005 09:27:25 -0800
looks like MS is NOT publicly releasing a fix for this, while they have the means and solution at hand. ( at least under IE ) a kind reader sent this little snippet... "... was able to get Microsoft to provide us with a DLL to drop under IIS 6 to compare URL variable against the Host: header variable and do 302 to web root if they are not similar. This fixed the problem, however, I doubt that Microsoft will make this patch available to the public." what happend to MS commitment to security??? ugg, m.w _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- re: Microsoft Outlook Web Access URL Injection morning_wood (Feb 07)
- Re: re: Microsoft Outlook Web Access URL Injection Valdis . Kletnieks (Feb 07)