SEC-CONSULT Security Advisory < 20060613-0 v2>
title: HTML Code Injection in Outlook Web Access
program: Outlook Web Access
vulnerable version: Exchange 2000 (SP3), 2003 (SP1), 2003 (SP2)
by: D. Fabian / SEC-CONSULT / www.sec-consult.com
T. Kerbl / SEC-CONSULT / www.sec-consult.com
2nd version notes:
The described vulnerability has been found by SEC Consult. SEC Consult
worked together with Microsoft on fixing the issue and a patch has been
released by Microsoft on June 13th 2006. The vendor advisory with links
to the patches is available from
As promised to Microsoft, we held back vulnerability details for two
weeks. This second version of our advisory contains details about the
vulnerability and its consequences for users.
Microsoft Office Outlook Web Access is an integrated component of
Exchange Server 2000/2003. By using only a Web browser and an Internet
or intranet connection, Outlook Web Access enables users to read their
corporate e-mail messages, schedules, and other information that is
stored on a server running Exchange.
Microsoft Outlook Web Access is vulnerable to an HTML code
injection/cross site scripting attack. A malicous user could craft a
steal session information from the victims cookies, and thus enable the
attacker to get access to the victim's emails.
In alternative Browsers like Mozilla Firefox or Opera the mere opening
read session information and send this to the attacker, who can then
perform session hijacking and read the victims emails.
As Internet Explorer uses proprietary security mechanisms (mails are
displayed as pages in restricted security zone) it is not possible to
showed, that using HTML attachments (which are also subject to input
Furthermore HTML code injection is still possible directly in the email
body. This can be used e.g. by malicious attackers to include images
which are displayed without further user interaction and thus verify
whether the user read the email or not. Also links can be directly
included, circumventing OWA's redirection feature.
The vendor advisory is available from
The flaw is caused by erratic NULL-byte handling. Outlook Web Access
closes a tag by inserting a ">"-character as soon as it encounters a
NULL byte, regardless of the position in the tag. This behaviour can be
exploited by specifying a NULL byte within an argument. As the argument
is enclosed by quotes, the browser does not interpret the closing
">"-character and accepts further arguments by the user. The same
mechanism can be used to finally close the tag.
As the concequences of the vulnerability differ from the browser in
which OWA is opened, we split the discussion into two parts:
First the consequences in Internet Explorer, and second the
consequences in alternative browsers. Just to be clear, the flaw has
nothing to do with browser security. It is one and the same
vulnerability in OWA, it is just that the impact differs from the
-- Internet Explorer
Because OWA uses the (IE proprietary) attribute "security='restricted'"
in the IFrame that shows the message, we have not found a way to
way it works with alternative browsers. Also there are other security
features in OWA that can be circumvented by exploiting the
vulnerability directly in the email body.
OWA seems to have an internal list of tags and tag parameters that
are allowed. If it encounters a tag or parameter that is not allowed,
it is simply discarded. Certain parameters like href in-tags or src in have special treatment. If OWA encounters an image, it simply replaces the src parameter's content with "/exchweb/img/clear1x1.gif". If a user wants to see the image, he needs to accept the warning "To help protect your privacy, links to images, sounds, or other external content in this message have been blocked. Click here to unblock content.". hrefs from links are wraped by the redirect script /exchweb/bin/redir.asp. Using the perl script attached to this advisory, it is possible to circumvent all of these security features. It is possible to specify arbitrary parameters to tags. This can be used to directly display images (which can in turn be used to verify if a user reads the email), specify arbitrary link hrefs, specify the action attribute in the