HTML Code Injection in Outlook Web Access

SEC-CONSULT Security Advisory < 20060613-0 >


title: HTML Code Injection in Outlook Web Access

program: Outlook Web Access

vulnerable version: Exchange 2000 (SP3), 2003 (SP1), 2003 (SP2)

impact: severe


found: 2005-10-25

by: D. Fabian / SEC-CONSULT /

T. Kerbl / SEC-CONSULT /



vendor description:



Microsoft Office Outlook Web Access is an integrated component of

Exchange Server 2000/2003. By using only a Web browser and an Internet

or intranet connection, Outlook Web Access enables users to read their

corporate e-mail messages, schedules, and other information that is

stored on a server running Exchange.






vulnerability overview:



Microsoft Outlook Web Access is vulnerable to an HTML code

injection/cross site scripting attack. A malicous user could craft a

mail containing HTML and Javascript code. Such code could be used to

steal session information from the victims cookies, and thus enable

the attacker to get access to the victim's emails.


In alternative Browsers like Mozilla Firefox or Opera the mere opening

of an crafted email is enough for Javascript code to execute. As soon

as the victim clicks on the malicious email, the Javascript code can

read session information and send this to the attacker, who can

then perform session highjacking and read the victims emails.


As Internet Explorer uses proprietary security mechanisms (mails

are displayed as pages in restricted security zone) it is not

possible to inject Javascript code directly into email bodies.

However our research showed, that using HTML attachments (which are

also subject to input sanitation in OWA), the Javascript Code can be

successfully executed. Furthermore HTML Code injection is still

possible directly in the email body. This can be used e.g. by

malicious attackers to include images which are displayed without

further user interaction and thus verify whether the user read the

email or not. Also links can be directly included, curcumventing

OWA's redirection feature.



vulnerability details:



To allow time to Microsoft Exchange administrators to patch their

systems, SEC Consult is going to withhold vulnerability and exploit

details for 2 weeks.



vulnerable versions:



The following versions of Microsoft Exchange Server are vulnerable

to the described security flaw:


- Microsoft Exchange 2000 Server Pack 3 with the August 2004

Exchange 2000 Server Post-Service Pack 3 Update Rollup

- Microsoft Exchange Server 2003 Service Pack 1

- Microsoft Exchange Server 2003 Service Pack 2



vendor status:


vendor notified: 2005-10-27

vendor response: 2005-10-27

patch available: 2006-06-13




SEC Consult Unternehmensberatung GmbH


Office Vienna

Blindengasse 3

A-1080 Wien



Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 15

Mail: office at sec-consult dot com


EOF Daniel Fabian / @2006

research at sec-consult dot com