|
Home > Archive > IIS Server Security > March 2005 > OWA Exploit
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
|
| Ken Schaefer 2005-03-21, 8:47 pm |
| I am not aware of a fix.
The issue only arises if an attacker sends a link to a user, the user uses
the link to visit the arbitrary page, and then enters their credentials. If
the user never receives the link, or the user isn't ignorant enough to use
the page that comes up, then there is no problem. Basically there is a
redirect issue with OWA, but there is no vulnerability beyond that - the
rest relies on phising/social engineering...
Cheers
Ken
"Rex Young" <RexYoung@discussions.microsoft.com> wrote in message
news:423F4ED9-62BF-4CB6-83A5-6C56CD9FAB70@microsoft.com...
: http://www.securiteam.com/windowsnt...5EP0E20F6C.html
:
: Anyone have a fix for this?
| |
| Chris Weber [Security MVP] 2005-03-23, 8:51 pm |
| Not to mention, the user must LOGIN to the OWA server before the redirect
takes place. This vulnerability should be added to the Hall of Cheese.
Chris
"Rex Young" <RexYoung@discussions.microsoft.com> wrote in message
news:423F4ED9-62BF-4CB6-83A5-6C56CD9FAB70@microsoft.com...
> http://www.securiteam.com/windowsnt...5EP0E20F6C.html
>
> Anyone have a fix for this?
| |
| Ken Schaefer 2005-03-23, 8:51 pm |
| As I understand it, the user doesn't log into OWA.
The user could be tricked into clicking on such a link (believing that it
points to their legitimate OWA website). The redirect issue causes an
arbitrary page to be displayed to the user. Then the usual social
engineer/phishing comes in. If the attacker can make the login page look
like a legitimate OWA login page, the user may be fooled into submitting
their Windows credentials to the fake site, giving the attacker those
credentials.
Cheers
Ken
"Chris Weber [Security MVP]" <chris@dev.nul> wrote in message
news:OxTwWaBMFHA.3500@TK2MSFTNGP14.phx.gbl...
: Not to mention, the user must LOGIN to the OWA server before the redirect
: takes place. This vulnerability should be added to the Hall of Cheese.
: Chris
:
:
:
: "Rex Young" <RexYoung@discussions.microsoft.com> wrote in message
: news:423F4ED9-62BF-4CB6-83A5-6C56CD9FAB70@microsoft.com...
: > http://www.securiteam.com/windowsnt...5EP0E20F6C.html
: >
: > Anyone have a fix for this?
:
:
| |
| Chris Weber [Security MVP] 2005-03-25, 6:02 pm |
| I'm pretty sure that's not the case. Try it your self and see. The ASP
page which performs the redirect is not even accessible until you have
logged in.
/Chris
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OxtSv0BMFHA.1096@tk2msftngp13.phx.gbl...
> As I understand it, the user doesn't log into OWA.
>
> The user could be tricked into clicking on such a link (believing that it
> points to their legitimate OWA website). The redirect issue causes an
> arbitrary page to be displayed to the user. Then the usual social
> engineer/phishing comes in. If the attacker can make the login page look
> like a legitimate OWA login page, the user may be fooled into submitting
> their Windows credentials to the fake site, giving the attacker those
> credentials.
>
> Cheers
> Ken
>
>
> "Chris Weber [Security MVP]" <chris@dev.nul> wrote in message
> news:OxTwWaBMFHA.3500@TK2MSFTNGP14.phx.gbl...
> : Not to mention, the user must LOGIN to the OWA server before the
> redirect
> : takes place. This vulnerability should be added to the Hall of Cheese.
> : Chris
> :
> :
> :
> : "Rex Young" <RexYoung@discussions.microsoft.com> wrote in message
> : news:423F4ED9-62BF-4CB6-83A5-6C56CD9FAB70@microsoft.com...
> : > http://www.securiteam.com/windowsnt...5EP0E20F6C.html
> : >
> : > Anyone have a fix for this?
> :
> :
>
>
|
|
|
|
|