CERT-In Vulnerability Note CIVN-2006-51
Microsoft Outlook Web Access for Exchange Server script injection vulnerability.

Original Issue Date: June 14, 2006

Severity Rating: Medium

Systems Affected

• Microsoft Exchange 2000 Server Pack 3
• Microsoft Exchange Server 2003 Service Pack 1
• Microsoft Exchange Server 2003 Service Pack 2

Overview

A script injection vulnerability has been reported in the Microsoft Outlook Web Access (OWA), a service of Exchange Server. This could be exploited by attackers to execute arbitrary scripting code.

Description

Microsoft Outlook Web Access (OWA) allows authorized users to read and send email, manage their calendar, and perform other functions on an Exchange server via the Web. Outlook Web Access fails to correctly filter script contained in an email message under certain circumstances. This results in a vulnerability that could allow an attacker to supply script that would be executed by a user using OWA to read email.

Workarounds

• Disable Outlook Web Access (OWA) on a computer running Exchange Server.

Solution:

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-029

Vendor information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-029.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-029.mspx

US-CERT VU# 138188
http://www.kb.cert.org/vuls/id/138188

FrSIRT
http://www.frsirt.com/english/advisories/2006/2326

CVE Name
CVE-2006-1193

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003