TITLE:
Microsoft Exchange Server Outlook Web Access Script
Insertion
SECUNIA ADVISORY ID:
SA20634
VERIFY ADVISORY:
http://secunia.c
om/advisories/20634/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting
WHERE:
From remote
SOFTWARE:
Microsoft Exchange Server 2003
http://secunia.com/p
roduct/1828/
Microsoft Exchange Server 2000
http://secunia.com/pro
duct/41/
DESCRIPTION:
A vulnerability has been reported in Microsoft Exchange
Server,
which
can be exploited by malicious people to conduct script
insertion
attacks.
The vulnerability is caused due to an error within the
Microsoft
Outlook Web Access (OWA) service when filtering scripts in
e-mail
messages. This can be exploited to insert arbitrary HTML and
script
code, which is executed in a user's browser session in
context
of an
affected site when a malicious e-mail message is viewed.
SOLUTION:
Apply patches.
Microsoft Exchange 2000 with Post-Service Pack 3 Update
Rollup
of
August 2004:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=746CE64E-3186-422B-A13
B-004E7942189B
Microsoft Exchange Server 2003 SP1:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=0E192781-847F-41C1-B32
A-84218DB60942
Microsoft Exchange Server 2003 SP2:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=C777BC9F-52B7-4F17-96C
7-DAF3B9987D70
ORIGINAL ADVISORY:
MS06-029 (KB912442):
http://www.microsoft.com/technet/security/Bullet
in/MS06-029.mspx
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/r
ules.htm
Contact list owner <owner-pcworks imagicomm.com>
Unsubscribing and other changes: http://pcworkers.com
=====================================================
|