CVE-2004-0203 - Unspecified vulnerability in Microsoft Exchange Server 5.5

Publication

2004-11-23

Last modification

2018-10-12

Summary

Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query.

Description

Microsoft Exchange Outlook Web Access (OWA) is prone to HTTP response splitting attacks. This issue could permit hostile script to be injected into client sessions, which could gain access to properties of the OWA server and Web pages hosted on the site. It is noted that the attacker must authenticate to OWA to be in a position to exploit this issue. If successfully exploited, this could allow for various attacks, such as session hijacking, and content spoofing. This issue could also be used to exploit latent vulnerabilities in Web client software.

Solution

Microsoft has released a Security Bulletin that includes fixes to address this issue. Microsoft Exchange Server 5.5 SP4 Microsoft Security Update for Exchange 5.5 (KB842436) http://www.microsoft.com/downloads/details.aspx?FamilyId=66E4E033-5A4C -4EEC-84F1-31F0CA878092&displaylang=en

Exploit

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: info@vumetric.com <mailto:info@vumetric.com>.

Risk level (CVSS AV:N/AC:M/Au:N/C:P/I:P/A:P)

Medium

6.8

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

OVAL definition

{
    "accepted": "2007-11-13T12:01:05.055-05:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Christine Walzer",
            "organization": "The MITRE Corporation"
        },
        {
            "name": "Christine Walzer",
            "organization": "The MITRE Corporation"
        },
        {
            "name": "Jonathan Baker",
            "organization": "The MITRE Corporation"
        },
        {
            "name": "Jeff Cheng",
            "organization": "Opsware, Inc."
        },
        {
            "name": "Jeff Cheng",
            "organization": "Opsware, Inc."
        }
    ],
    "description": "Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query.",
    "family": "windows",
    "id": "oval:org.mitre.oval:def:2016",
    "status": "accepted",
    "submitted": "2004-08-25T12:00:00.000-04:00",
    "title": "MS Exchange Server Cross-site Scripting Vulnerability",
    "version": "66"
}

Affected Products

Vendor Product Versions
Microsoft Exchange Server  5.5