Microsoft OWA (Outlook Web Access) no-store information disclosure
| microsoft-owa-nostore-info-disclosure (42301) |
Description:
Microsoft OWA (Outlook Web Access) could allow a local attacker to obtain sensitive information, caused by the use of the no-cache directive instead of the no-store HTTP directive. By persuading a victim to view sensitive information during an OWA session, a local attacker could exploit this vulnerability to retrieve restricted data from the local host.
Platforms Affected:
- Microsoft, Outlook Web Access
Remedy:
No remedy available as of August 23, 2008.
Consequences:
Obtain Information
References:
- Microsoft Web site, Access your e-mail using Outlook Web Access at http://office.microsoft.com/en-us/outlook/HA010860351033.aspx.
- BID-29121: Microsoft Outlook Web Access 'no-store' HTTP Directive Information Disclosure Weakness
- CVE-2008-2143: Unspecified versions of Microsoft Outlook Web Access (OWA) use the Cache-Control: no-cache HTTP directive instead of no-store, which might cause web browsers that follow RFC-2616 to cache sensitive information.
- US-CERT VU#829876: Microsoft Outlook Web Access may not use the no-store HTTP directive
Reported:
May 09, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net
