Microsoft Outlook Web Access (OWA) owalogon.asp Redirection Account Enumeration

medium Nessus Plugin ID 17636

Synopsis

The remote web server is affected by a URL injection vulnerability.

Description

The remote host is running Microsoft Outlook Web Access (OWA) 2003.

Due to a lack of sanitization of the user input, the remote version of this software is vulnerable to URL injection that can be exploited to redirect a user to a different, unauthorized web server after authenticating to OWA. This unauthorized site could be used to capture sensitive information by appearing to be part of the web application.

Solution

Upgrade to Microsoft Exchange Server 2007 as that reportedly addresses the issue.

Alternatively, edit the 'logon.asp' script used by OWA and hardcode a value for 'redirectPath' in line 54.

See Also

https://seclists.org/fulldisclosure/2005/Feb/101

https://seclists.org/fulldisclosure/2005/Jul/483

Plugin Details

Severity: Medium

ID: 17636

File Name: owa_sqlinject.nasl

Version: 1.25

Type: remote

Family: CGI abuses

Published: 3/28/2005

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2/8/2005

Reference Information

CVE: CVE-2005-0420

BID: 12459

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990