ISS X-Force Database: exchange-owa-script-execution(6652): Microsoft Exchange 2000 OWA script execution

Microsoft Exchange 2000 OWA script execution

exchange-owa-script-execution (6652)

High Risk

Description:

Microsoft Exchange 2000 Server using the Outlook Web Access (OWA) service could allow malicious scripts to be executed in a user's mailbox when Internet Explorer is used to access email using OWA. An attacker could embed a malicious script within an HTML email attachment. If a potential victim opens the attachment using Outlook Web Access, the script is then executed. An attacker could use this vulnerability to modify settings and alter or delete email messages and folders within the victim's mailbox.

Platforms Affected:

Microsoft, Exchange Server 2000

Remedy:

Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS04-026. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS01-030, but it has been superseded by the patch released with MS01-057 and MS03-047, and then superseded by the patch released with MS04-026. See References.

Consequences:

Gain Access

References:

CIAC Information Bulletin L-091A, Microsoft Exchange Server Outlook Web Access Flaw at http://www.ciac.org/ciac/bulletins/l-091.shtml.
Microsoft Security Bulletin MS01-030, Incorrect Attachment Handling in Exchange 2000 OWA Can Execute Script at http://www.microsoft.com/technet/security/bulletin/ms01-030.mspx.
Microsoft Security Bulletin MS01-057, Specially Formed Script in HTML Mail can Execute in Exchange 5.5 OWA at http://www.microsoft.com/technet/security/bulletin/ms01-057.mspx.
Microsoft Security Bulletin MS03-047, Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489) at http://www.microsoft.com/technet/security/bulletin/ms03-047.mspx.
Microsoft Security Bulletin MS04-026, Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436) at http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx.
BID-2832: Microsoft Exchange OWA Embedded Script Execution Vulnerability
CVE-2001-0340: An interaction between the Outlook Web Access (OWA) service in Microsoft Exchange 2000 Server and Internet Explorer allows attackers to execute malicious script code against a user's mailbox via a message attachment that contains HTML code, which is executed automatically.
US-CERT VU#149424: Outlook Web Access (OWA) executes scripts contained in email attachment opened via Microsoft Internet Explorer (IE)

Reported:

Jun 06, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page