Microsoft Outlook Web Access Authentication Flaw Lets Remote Users Hijack User Sessions - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > Microsoft Outlook Web Access

Vendors: Microsoft

Microsoft Outlook Web Access Authentication Flaw Lets Remote Users Hijack User Sessions

SecurityTracker Alert ID: 1024445

SecurityTracker URL: http://securitytracker.com/id/1024445

CVE Reference: CVE-2010-3213 (Links to External Site)

Date: Sep 14 2010

Impact: User access via network

Vendor Confirmed: Yes

Version(s): Exchange Server 2003 SP2, 2007 SP1, 2007 SP2

Description: A vulnerability was reported in Microsoft Outlook Web Access. A remote user can hijack a target user's session.

A remote user can create a specially crafted web site that, when loaded by the target user, will hijack the target user's active Outlook Web Access session.

The following versions are affected:

Microsoft Exchange Server 2003 SP2
Microsoft Exchange Server 2007 SP1
Microsoft Exchange Server 2007 SP2

The following versions are not affected:

Microsoft Exchange Server 2000 SP3
Microsoft Exchange Server 2007 SP3
Microsoft Exchange Server 2010
Microsoft Exchange Server 2010 SP1

Impact: A remote user can hijack a target user's authenticated session.

Solution: No solution was available at the time of this entry.

Microsoft has provided the following statement:

"A security update is not available because addressing the vulnerability would require a design change to implement a new http request verification framework for OWA to help prevent an attacker from hijacking a user's OWA session. Microsoft has determined that introducing a design change of such a magnitude into affected versions of Microsoft Exchange Server would bear too high a risk of destabilizing and breaking customer environments."

The vendor recommends upgrading to a version that is not affected.

The vendor's advisory is available at:

http://www.microsoft.com/technet/security/advisory/2401593.mspx

Vendor URL: www.microsoft.com/technet/security/advisory/2401593.mspx (Links to External Site)

Cause: Authentication error

Underlying OS: Windows (Any)

Message History: None.

Source Message Contents

Date: Tue, 14 Sep 2010 22:32:57 +0000
Subject: Microsoft Security Advisory (2401593) Vulnerability in Outlook Web Access Could Allow Elevation of Privilege


http://www.microsoft.com/technet/security/advisory/2401593.mspx

CVE-2010-3213

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC