Microsoft Outlook Web Access owalogon.asp script URL redirect
| owa-owalogonasp-url-redirect (19225) |  Medium Risk |
Description:
Microsoft Outlook Web Access (OWA) could allow a remote attacker to redirect URL requests. By sending a specially-crafted URL containing malicious characters to the owalogon.asp script, a remote attacker could redirect the victim to an arbitrary Web site, once the link is clicked.
Platforms Affected:
- Microsoft, Outlook Web Access
Remedy:
Upgrade to the Microsoft Exchange Server 2007, available from the Microsoft Web site. See References.
Consequences:
Obtain Information
References:
- Full-Disclosure Mailing List, Sun Feb 06 2005 - 18:00:10 CST , Microsoft Outlook Web Access URL Injection Vulnerability at http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0001.html.
- Microsoft Web site, Microsoft Exchange Server 2007 at http://www.microsoft.com/exchange/default.mspx.
- BID-12459: Microsoft Outlook Web Access Login Form Remote URI Redirection Vulnerability
- CVE-2005-0420: Microsoft Outlook Web Access (OWA), when used with Exchange, allows remote attackers to redirect users to arbitrary URLs for login via a link to the owalogon.asp application.
- SA14144: Microsoft Outlook Web Access "owalogon.asp" Redirection Weakness
- VUPEN/ADV-2005-0105: Microsoft Outlook Web Access URL Injection Vulnerability
Reported:
Feb 05, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net