Discovered and reported 3 years ago http://www.google.com/search?hl=en&q=oaw+exploit+exploitlabs.com+
http://www.exploitlabs.com/files/advisories/EXPL-A-2005-001-owa.txt http://seclists.org/fulldisclosure/2005/Feb/0101.html http://forums.techarena.in/small-business-server/1006421.htm Microsoft Outlook Web Access "owalogon.asp" Redirection Weakness http://secunia.com/advisories/14144/ ----- Original Message ----- From: "Davide Del Vecchio" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <full-disclosure@lists.grok.org.uk>; <[EMAIL PROTECTED]> Sent: Friday, October 17, 2008 12:07 PM Subject: Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC7368br] > Hi, > > I found and notified this vulnerability to Microsoft in date: > > Tue, 10 Apr 2007 15:40:13 +0200 > > You read exactly, April 2007, 1 year and 6 months ago. :( > > The Microsoft Security Response Center opened the case ID MSRC 7368br. > > The bug has never been patched since 1 year and 6 months. > I asked time to time for updates but they always answered me that the > bug had to be patched with the next Service Pack and they did not have > any ETA. > > This SP has still to be released. > > They told me that if I released the vulnerability prior to the official > patch, I could not be officially credited for that. I tought it was not > a critical vuln, and so I waited. Too much (?). > > I am a bit sorry for Microsoft, I think they lost an other chance since > now I feel a bit tricked. I am not sure if the next time I will wait so > much and I am not sure if I will suggest to anyone to wait for the > patch. I just hope Microsoft will credit me in the official patch. :( > > Below you can find the first mail I wrote to MS regarding the issue. > > Best regards, > > Davide Del Vecchio. > > > From: "Davide Del Vecchio" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness > Date: Tue, 10 Apr 2007 15:40:13 +0200 > > Hello, > > I found a weakness in Microsoft Outlook Web Access (OWA), which > potentially can be exploited by malicious people to conduct phishing > attacks. > The weakness is caused due to a design error in the way OWA uses an > unverified user supplied argument to redirect a user after successful > authentication. > This can e.g. be exploited by tricking a user into following a link from > a HTML document to the trusted login page with a malicious "url" > parameter. > After successful authentication, the user will be redirected to the > untrusted (fake) site. > > The affected product is: > Microsoft Outlook Web Access ( OWA ) > Windows 2003 > > Examples: > https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com > > this will take the user to http://www.example.com when the login box > is pressed. > > https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe > prompts the user to download an executable or other file. > > The attacker can then have a page to capture the user / password > and redirect back to the original login page or some other form of > phishing attack. > > Note that this vulnerability is very similar to the one affecting > "owalogin.asp" described here: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420 > > Best regards, > > Davide Del Vecchio. > > Martin Suess ha scritto: > > ... > >> Timeline: >> --------- >> Vendor Status: MSRC tracking case closed >> Vendor Notified: March 31st 2008 >> Vendor Response: May 6th 2008 >> Advisory Release: October 15th 2008 >> Patch available: - (vulnerability not high priority) > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/