|
Microsoft Outlook Web Access "owalogon.asp" Redirection Weakness
|
|
Secunia Advisory:
|
SA14144
|
|
|
Release Date:
|
2005-02-08
|
|
Last Update:
|
2005-02-18
|
|
Popularity:
|
13,835 views
|
|
|
Critical:
|
Not critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | Microsoft Exchange Server 2003
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2005-0420
|
|
Description:
Donnie Werner has reported a weakness in Microsoft Outlook Web Access (OWA), which potentially can be exploited by malicious people to conduct phishing attacks.
The weakness is caused due to a design error in the way OWA uses an unverified user supplied argument to redirect a user after successful authentication. This can e.g. be exploited by tricking a user into following a link from a HTML document to the trusted login page with a malicious "url" parameter. After successful authentication, the user will be redirected to the untrusted (fake) site.
Solution:
Do not follow links from untrusted sites or emails.
Provided and/or discovered by:
Donnie Werner
Changelog:
2005-02-18: Added CVE reference.
Original Advisory:
http://exploitlabs.com/files/advisories/EXPL-A-2005-001-owa.txt
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
