Microsoft Security Advisory MS03-047 - Microsoft Exchange Server 5.5, Service Pack 4, suffers from a cross site scripting attack due to the way Outlook Web Access (OWA) performs HTML encoding in the Compose New Message form.
643e2eb1f2bd8cf2e8d911578d71880652aaaa6792f3f3d48d274526d86d308b
Microsoft Security Bulletin MS03-047
Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting
Attack (828489)
Issued: October 15, 2003
Version Number: 1.0
Summary
Who Should Read This Document: System administrators who have servers running
Microsoft® Exchange Server 5.5 Outlook® Web Access
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Moderate
Recommendation: System administrators should install this security patch on their
servers running Outlook Web Access 5.5
Patch Replacement: None
Caveats: Customers who have customized any of the ASP pages in the File Information
section in this document should backup those files before applying this patch as
they will be overwritten when the patch is applied. Any customizations would then
need to be reapplied to the new ASP pages.
Tested Software and Patch Download Locations:
Affected Software:
* Microsoft Exchange Server 5.5, Service Pack 4 - Download the patch
Non Affected Software:
* Microsoft Exchange 2000 Server
* Microsoft Exchange Server 2003
The software listed above has been tested to determine if the above versions are
affected. Other versions are no longer supported, and may or may not be affected.
[plus.gif] Technical Details
Technical Description:
A cross-site scripting (XSS) vulnerability results due to the way that Outlook Web
Access (OWA) performs HTML encoding in the Compose New Message form.
An attacker could seek to exploit this vulnerability by having a user run script on
the attacker's behalf. The script would execute in the security context of the user.
If the script executes in the security context of the user, the attacker's code
could then execute by using the security settings of the OWA Web site (or of a Web
site that is hosted on the same server as the OWA Web site) and could enable the
attacker to access any data belonging to the site where the user has access.
To exploit this vulnerability through OWA, an attacker would have to send an e-mail
message that has a specially-formed link to the user. The user would then have to
click the link. To exploit this vulnerability in another way, an attacker would have
to know the name of the user's Exchange server and then entice the user to open a
specially-formed link from another source while the user is logged on to OWA.
Note: Customers who have customized any of the ASP pages in the File Information
section in this document should backup those files before applying this patch as
they will be overwritten when the patch is applied. Any customizations would then
need to be reapplied to the new ASP pages. Please refer to the Microsoft Support
Policy for the Customization of Outlook Web Access available at
http://support.microsoft.com/default.aspx?scid=kb;en-us;327178
Mitigating factors:
* To be affected, the user would have to be logged onto OWA, be enticed to log on to
OWA, or use another Web application on the same server as OWA. Generally, a server
that runs Exchange Server 5.5 Outlook Web Access does not run other Web
applications for reasons of performance, scalability, and security.
* To exploit this vulnerability through OWA, an attacker would have to send an e-mail
message that has a specially-formed link to a user. The user would then have to
click the link.
* In the Web-based attack vector, an attacker would have to know the name of a user's
Exchange server and then entice the user to open a specially-formed link from some
other source while the user is logged on to OWA.
Severity Rating:
Exchange Server 5.5 Outlook Web Access Moderate
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them.
Vulnerability identifier: CAN-2003-0712
[plus.gif] Workarounds
Microsoft has tested the following workarounds. These workarounds will not correct
the underlying vulnerability however they help block known attack vectors.
Workarounds may cause a reduction in functionality in some cases - in such
situations this is identified below.
1. Disable Outlook Web Access for each Exchange site
Outlook Web Access can be disabled by following these steps. These steps need to be
performed on each Exchange site.
1. Start Exchange Administrator
2. Expand the Configuration container for the site.
3. Select the Protocols container for the site.
4. Open the properties of the HTTP (Web) Site Settings object
5. Clear the "Enable Protocol" checkbox.
6. Wait for the change to replicate, and then verify that this change has replicated
to each server in the site. To do this, bind to each server in the site with
Exchange Administrator and view the setting.
Impact of Workaround: Users will have no access to their mailboxes via Outlook Web
Access.
Uninstall Outlook Web Access.
Uninstall Outlook Web Access. For steps on how to do this please refer to the Knowledge
Base Article "How to Completely Remove and Re-Install OWA" available at
http://support.microsoft.com/default.aspx?scid=kb;en-us;290287
Impact of Workaround: Users will have no access to their mailboxes via Outlook Web
Access.
For additional information about how to help make your Exchange environment more
secure, visit the
Security Resources for Exchange 5.5 Web site.
[plus.gif] Frequently Asked Questions
What is the scope of this vulnerability?
This is a cross-site scripting vulnerability. This vulnerability could enable an
attacker to cause arbitrary code to run during another user's Web session. The code
could take any action on the user's computer that the Web site is authorized to
take; this could include monitoring the Web session and forwarding information to a
third party, running other code on the user's system and reading or writing cookies.
The code could be written to be persistent, so that if the user returned to the Web
site again, the code would run again.
The vulnerability cannot be "injected" into a Web session; it can only be exploited
if the user clicks a hyperlink that the attacker provides.
To exploit this vulnerability in another way, other then sending the specially
formed link in email to a user, an attacker would have to know the name of a user's
Exchange server and then entice the user to open a specially-formed link from some
other source while the user is logged on to OWA.
What is Outlook Web Access?
Microsoft Outlook Web Access (OWA) is a service of Exchange Server. By using OWA,
users can use a Web browser to access their Exchange mailbox. By using OWA, a server
that is running Exchange Server can also function as a Web site that lets authorized
users read or send mail, manage their calendar, or perform other mail functions over
the Internet.
What is cross-site scripting?
Cross-site scripting (XSS) is a security vulnerability that could enable an attacker
to "inject" code into a user's session with a Web site. Unlike most security
vulnerabilities, XSS does not apply to any single vendor's products - instead, it
can affect any software that generates HTML and that does not follow defensive
programming practices.
How does XSS work?
Web pages contain text and HTML markup, which are generated by the server and are
interpreted by the client. Servers that generate static pages have full control over
the way that the client interprets the pages that the server sends. However, servers
that generate dynamic pages do not have control over the way that the client
interprets their output. If untrusted content can be introduced into a dynamic page,
neither the server nor the client has sufficient information to recognize that this
has occurred and to take protective actions.
More information about how cross-site scripting works and what can be done to
mitigate such attacks can be found at Information about Cross-Site Scripting
Security Vulnerability.
What causes the vulnerability?
The vulnerability results because the Active Server Page (ASP) that Exchange Server
5.5 Outlook Web Access uses when it composes new messages replays the requested URL
in HTML without the correct encoding.
What is wrong with Outlook Web Access?
When a user creates a new e-mail message, OWA does not correctly encode the URL for
display in HTML. As a result, an attacker could embed a link to a script on a
separate Web site and could cause the link to be returned to the Web browser in such
a way that the browser thinks that it comes from the OWA Web site.
What could this vulnerability enable an attacker to do?
The vulnerability could enable an attacker who hosts a malicious Web site, or who
can entice a user to click a specially-formed link, to carry out a cross-site
scripting attack against the user's OWA Web site. By doing so, an attacker could run
script in the user's browser and could use the security settings of the OWA Web site
or any other Web site that is hosted on the same system and to could access cookies
and other data that belong to the Web site.
How could an attacker exploit this vulnerability?
An attacker who hosts a malicious Web site could seek to exploit this vulnerability
by sending a specially-crafted e-mail message that has an embedded script or link
that, when accessed, would send out a Web server query that has a script as part of
one of the arguments. The user would have to click the link in the e-mail message
while it appears in OWA or while it appears on an external Web site.
Are all versions of OWA are vulnerable?
No. The vulnerability affects only Exchange Server 5.5 Outlook Web Access.
On which Exchange servers should I install the patch?
This patch is intended only for servers that are running Exchange Server 5.5 Outlook
Web Access. You do not have to install this patch on servers that are not running
Exchange Server 5.5 Outlook Web Access.
I have customized my OWA site, what do I do?
Customers having customized any of the ASP pages in the File Information section in
this document should backup those files before applying this patch as they will be
overwritten when the patch is applied. Any customizations would then need to be
reapplied to the new ASP pages. Please refer to the Microsoft Support Policy for the
Customization of Outlook Web Access available at
http://support.microsoft.com/default.aspx?scid=kb;en-us;327178
How does the patch eliminate the vulnerability?
The patch eliminates the vulnerability by ensuring that OWA script arguments are
encoded so that they cannot be unintentionally executed.
[plus.gif] Security Patch Information
For information about the specific security patch for your platform, click the
appropriate link:
[plus.gif] Exchange Server 5.5 SP4
Prerequisites:
This security patch requires Outlook Web Access on Exchange Server 5.5 Service Pack
4.
Installation Information:
For additional information about the command options that you can use to apply this
update, click the article number below to view the article in the Microsoft
Knowledge Base:
257946 XGEN: GUI Hotfix Utility Switches /x /m /s /z
Deployment Information
To install the security patch without any user intervention, use the following
command line:
Exchange5.5-KB828489-x86-enu.EXE /s
For information about how to deploy this security patch with Microsoft Software
Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/sus/
Restart Requirement:
No. However, the security patch will restart Microsoft Internet Information Services
(IIS), the Exchange Store, and the Exchange System Attendant Services. For this
reason, install the patch when no users are logged on through OWA.
Removal Information:
To remove this update, use the Add or Remove Programs tool in Control Panel or issue
the following command in a console window:
%EXCHSRVR%\828489\UNINSTALL\UNINST.EXE
File Information:
The English version of this fix has the file attributes (or later) that are listed
in the following table. The dates and times for these files are listed in
coordinated universal time (UTC). When you view the file information, it is
converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File Name Folder
09/16/2003 13:03 5.2657.67 802,576 cdo.dll %WIN%\system32
09/16/2003 11:50 5.2657.67 536,848 CDOHTML.DLL %EXSRVROOT%\bin
07/19/2003 12:45 6.5.6582.0 57,344 htmlsnif.dll %EXSRVROOT%\bin
07/19/2003 12:45 6.5.6582.0 225,280 safehtml.dll %EXSRVROOT%\bin
07/19/2003 01:02 NA 658,432 5,118 global.asa %EXSRVROOT%\WEBDATA
08/12/2003 12:15 NA 1,180 1,180 encode.inc %EXSRVROOT%\WEBDATA\%WEBDATALANG%
09/16/2003 11:49 NA 6,835 root.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%
09/16/2003 11:49 NA 2,473 read.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\ATTACH
09/16/2003 11:49 NA 2,424 events.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\CALENDAR
09/16/2003 11:49 NA 5,783 main_fr.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\CALENDAR
09/16/2003 11:49 NA 4,336 fumsg.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FINDUSER
09/16/2003 11:49 NA 12,928 amunres.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS
09/16/2003 11:49 NA 3,458 openitem.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS
09/16/2003 11:49 NA 3,174 pickform.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS
09/16/2003 11:49 NA 13,271 contdet.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\CONTACT
09/16/2003 11:50 NA 7,952 frmroot.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\CONTACT
09/16/2003 11:50 NA 5,388 postatt.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\CONTACT
09/16/2003 11:49 NA 11,230 postMsg.asp postMsg.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\CONTACT
09/16/2003 11:50 NA 5,189 postroot.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\CONTACT
09/16/2003 11:49 NA 7,896 posttitl.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\CONTACT
09/16/2003 11:49 NA 5,354 cmpatt.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\NOTE
09/16/2003 11:50 NA 7,390 cmpmsg.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\NOTE
09/16/2003 11:49 NA 3,133 cmpOpt.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\NOTE
09/16/2003 11:49 NA 7,091 cmpTitle.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\NOTE
09/16/2003 11:49 NA 8,501 frmroot.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\NOTE
09/16/2003 11:49 NA 5,306 postatt.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\POST
09/16/2003 11:49 NA 6,419 postMsg.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\POST
09/16/2003 11:49 NA 6,485 postroot.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\POST
09/16/2003 11:49 NA 5,238 posttitl.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\POST
09/16/2003 11:49 NA 8,892 frmroot.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\CANCELED
09/16/2003 11:49 NA 30,942 frmRoot.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\REQUEST
09/16/2003 11:49 NA 21,055 mrAppt.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\REQUEST
09/16/2003 11:49 NA 5,785 mrAtt.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\REQUEST
09/16/2003 11:49 NA 2,931 mrOpt.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\REQUEST
09/16/2003 11:49 NA 12,675 mrPlaner.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\REQUEST
09/16/2003 11:50 NA 26,555 mrRecur.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\REQUEST
09/16/2003 11:49 NA 10,735 mrTitle.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\REQUEST
09/16/2003 11:49 NA 11,544 frmroot.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\RESP
09/16/2003 11:49 NA 5,323 rspatt.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\RESP
09/16/2003 11:49 NA 8,753 rspmsg.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\RESP
09/16/2003 11:49 NA 3,184 rspopt.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\RESP
09/16/2003 11:49 NA 7,776 rsptitle.asp
%EXSRVROOT%\WEBDATA\%WEBDATALANG%\FORMS\IPM\SCHEDULE\MEETING\RESP
09/16/2003 11:49 NA 11,802 commands.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\INBOX
09/16/2003 11:49 NA 11,166 main_fr.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\INBOX
09/16/2003 11:49 NA 8,185 root.asp %EXSRVROOT%\WEBDATA\%WEBDATALANG%\MOVCPY
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft
Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click
the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by
reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\828489
Note: This registry key may not be not created properly when an administrator or an
OEM integrates or slipstreams the 828489 security patch into the Windows
installation source files.
Acknowledgments
Microsoft thanks the following for working with us to protect customers:
* Ory Segal of Sanctum Inc. for reporting the issue described in MS03-047.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
Support:
* Technical support is available from Microsoft Product Support Services at
1-866-PCSAFETY. There is no charge for support calls associated with security
patches.
Security Resources:
* The Microsoft TechNet Security Web Site provides additional information about
security in Microsoft products.
* Microsoft Software Update Services: http://www.microsoft.com/sus/
* Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa.
Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list
of security patches that have detection limitations with MBSA tool.
* Windows Update Catalog:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
* Windows Update: http://windowsupdate.microsoft.com
* Office Update: http://office.microsoft.com/officeupdate/
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose. In no
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Microsoft Corporation or its suppliers have been advised of
the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may
not apply.
Revisions:
* V1.0 (October 15, 2003): Bulletin published.
Contact Us | E-mail this Page | TechNet Newsletter
© 2003 Microsoft Corporation. All rights reserved. Terms of Use Privacy
Statement Accessibility
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed