Full Disclosure mailing list archives
Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]
From: "Micheal Cottingham" <techie.micheal () gmail com>
Date: Sat, 15 Nov 2008 11:36:26 -0500
I found and reported this back in 2005/2006. Microsoft told me that it had been reported previously and that it would be fixed in the next release, which I'm guessing they meant 2007. I do not know if they have fixed it in Exchange 2007. On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti <piergiorgio () gigasec org> wrote:
Hi all, also I've found this vulnerability 1 year ago during a pt and work fine with url obfuscation. I've read that with owa 2007 this vulnerability is patched but I don't have tried yet. Best regards, Piergiorgio Giuseppe Gottardi ha scritto:Davide, let me comfort you... I found this vulnerability 1 year ago during a penetration test activity and I never reported before for my negligence :-) https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0 Best regards, oveRet On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote: Hi,I found and notified this vulnerability to Microsoft in date: Tue, 10 Apr 2007 15:40:13 +0200 You read exactly, April 2007, 1 year and 6 months ago. :( The Microsoft Security Response Center opened the case ID MSRC 7368br. The bug has never been patched since 1 year and 6 months. I asked time to time for updates but they always answered me that the bug had to be patched with the next Service Pack and they did not have any ETA. This SP has still to be released. They told me that if I released the vulnerability prior to the official patch, I could not be officially credited for that. I tought it was not a critical vuln, and so I waited. Too much (?). I am a bit sorry for Microsoft, I think they lost an other chance since now I feel a bit tricked. I am not sure if the next time I will wait so much and I am not sure if I will suggest to anyone to wait for the patch. I just hope Microsoft will credit me in the official patch. :( Below you can find the first mail I wrote to MS regarding the issue. Best regards, Davide Del Vecchio. From: "Davide Del Vecchio" <dante () alighieri org> To: secure () microsoft com Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness Date: Tue, 10 Apr 2007 15:40:13 +0200 Hello, I found a weakness in Microsoft Outlook Web Access (OWA), which potentially can be exploited by malicious people to conduct phishing attacks. The weakness is caused due to a design error in the way OWA uses an unverified user supplied argument to redirect a user after successful authentication. This can e.g. be exploited by tricking a user into following a link from a HTML document to the trusted login page with a malicious "url" parameter. After successful authentication, the user will be redirected to the untrusted (fake) site. The affected product is: Microsoft Outlook Web Access ( OWA ) Windows 2003 Examples: https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com this will take the user to http://www.example.com when the login box is pressed. https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe prompts the user to download an executable or other file. The attacker can then have a page to capture the user / password and redirect back to the original login page or some other form of phishing attack. Note that this vulnerability is very similar to the one affecting "owalogin.asp" described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420 Best regards, Davide Del Vecchio. Martin Suess ha scritto: ...Timeline: --------- Vendor Status: MSRC tracking case closed Vendor Notified: March 31st 2008 Vendor Response: May 6th 2008 Advisory Release: October 15th 2008 Patch available: - (vulnerability not high priority)-- +----------------------------------------------------------------------+ | Ing. Piergiorgio Venuti, CCSP | | 0x5ECFE022 - B44B C817 3793 C7C7 2734 F898 DE03 8961 5ECF E022| +----------------------------------------------------------------------+ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br] Giuseppe Gottardi (Nov 13)
- Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br] Piergiorgio Venuti (Nov 15)
- Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br] Micheal Cottingham (Nov 15)
- <Possible follow-ups>
- Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br] Elazar Broad (Nov 15)
- Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br] Piergiorgio Venuti (Nov 15)