| Ãë¾àÁ¡ID |
21563 |
| À§Çèµµ |
30 |
| Æ÷Æ® |
80, ... |
| ÇÁ·ÎÅäÄÝ |
TCP |
| ºÐ·ù |
CGI |
| »ó¼¼¼³¸í |
ÇØ´ç Microsoft Outlook Web Access ¼ºñ½º´Â ¿ø°Ý URI Àüȯ(redirection) Ãë¾àÁ¡¿¡ Ãë¾àÇÏ´Ù. Windows 2003¿¡¼ µ¿ÀÛÇÏ´Â Microsoft Outlook Web Access (OWA) ¼ºñ½º´Â ¿ø°ÝÁöÀÇ °ø°ÝÀÚ°¡ URL ¿äûµéÀ» »õ·Î¿î °÷À¸·Î ÀüȯÇÒ(redirect) ¼ö ÀÖ°Ô ÇØ ÁÙ ¼ö ÀÖ´Ù. ÀÌ´Â ÀáÀçÀûÀ¸·Î ¾ÇÀÇÀûÀÎ »ç¶÷µéÀÌ ÇǽÌ(phishing) °ø°ÝµéÀ» À¯µµÇÏ´Â µ¥ µµ¿ëµÉ ¼ö ÀÖ´Ù. Ãë¾àÁ¡Àº ÀÎÁõ¿¡ ¼º°øÇÑ »ç¿ëÀÚ¸¦ »õ·Î¿î °÷À¸·Î ¹æÇâÀ» Àüȯ½ÃÄÑ ÁÖ´Â µ¥¿¡ ÀÖ¾î °ËÁõµÇÁö ¾ÊÀº »ç¿ëÀÚ Á¦°ø Àμö¸¦ »ç¿ëÇÏ´Â OWA¿¡ ÀÖ´Â ¼³°è »óÀÇ ¿À·ù¿¡ ¿øÀÎÀÌ ÀÖ´Ù. ÀÌ°ÍÀº »ç¿ëÀÚ¸¦ ¼Ó¿© ¾î¶² HTML ¹®¼¿¡¼ ½Å·ÚÇÏ´Â ·Î±×ÀÎ ÆäÀÌÁö·ÎÀÇ ¸µÅ©¸¦ »ç¿ëÀÚ°¡ ¾ÇÀÇÀûÀÎ "url" Àμö¸¦ °¡Áö°í µû¶ó°¡°Ô ÇÔÀ¸·Î½á µµ¿ëµÉ ¼ö ÀÖ´Ù. ÀÎÁõ°úÁ¤À» ¼º°øÇÑ ÈÄ¿¡ »ç¿ëÀÚ´Â ½Å·Ú¼º ¾ø´Â (°¡Â¥) »çÀÌÆ®·Î ¹æÇâÀÌ ÀüȯµÅ ¹ö¸± °ÍÀÌ´Ù.
* Âü°í »çÀÌÆ®:
http://secunia.com/advisories/14144
http://seclists.org/lists/fulldisclosure/2005/Feb/0106.html
http://www.securitytracker.com/alerts/2005/Feb/1013086.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0001.html
http://exploitlabs.com/files/advisories/EXPL-A-2005-001-owa.txt
* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
Microsoft Outlook Web Access Any version
Microsoft Windows 2003 Any version |
| ÇØ°áÃ¥ |
´ÙÀ½ »çÀÌÆ®¸¦ Âü°íÇÏ¿© Microsoft Exchange Server 2007 ÀÌ»óÀ¸·Î ¾÷±×·¹À̵å Çϰųª ½Å·Ú¼º ¾ø´Â »çÀÌÆ®³ª email¿¡¼ÀÇ ¸µÅ©µéÀº µû¶ó°¡Áö ¾Ê´Â´Ù.
http://www.microsoft.com/exchange/en-us/default.aspx |
| °ü·Ã URL |
CVE-2005-0420 (CVE) |
| °ü·Ã URL |
12459 (SecurityFocus) |
| °ü·Ã URL |
19225 (ISS) |
|
