| VID |
26068 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Hotfix(KB828489) for 'Cross-Site Scripting Vulnerability in Exchange Server 5.5 Outlook Web Access' has not been applied.
Microsoft Outlook Web Access (OWA) is a service of Exchange Server that is used to access user's Exchange mailbox using web browser. Using this OWA, Exchange Server can also function as a Web site that lets authorized users perform mail functions over the Internet. However, Microsoft Exchange Server 5.5 OWA has a Cross-site scripting (XSS) Vulnerability that occurs because Active Server Page (ASP) that Exchange Server 5.5 Outlook Web Access uses when it composes new messages replays the requested URL in HTML without the correct encoding. To exploit this vulnerability through OWA, an attacker have to send an E-Mail message that has a specially-formed link to the user, and then persuade the user to click the link. Once this link is clicked, the attacker's script can be executed in the security context of the user. If the script is executed in the security context of the user, an attacker can access any data belonging to the site where the user has access.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/security/bulletin/MS03-047.asp
* Platforms Affected:
Microsoft Exchange Server 5.5, Service Pack 4
Windows 2000 Any version
Windows NT Any version
Windows XP Any version |
| Recommendation |
Apply the appropriate patch for your system, as listed in Microsoft's security bulletin MS03-047 at http://www.microsoft.com/technet/security/bulletin/MS03-047.asp
1. Open the following page :
http://www.microsoft.com/downloads/details.aspx?FamilyId=C516FE75-95CE-4FFF-B83D-9B170FCD0C1C&displaylang=en
2. Select a different language from the drop-down list and click <Go> button.
3. Click <Download> button to download this patch file.
4. Run this file to install the patch.
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web site, http://windowsupdate.microsoft.com . Windows Update detects what version of Windows you are running and offers the appropriate patch. |
| Related URL |
CVE-2003-0712 (CVE) |
| Related URL |
8832 (SecurityFocus) |
| Related URL |
13433 (ISS) |
|
