Vulnerabilities > CVE-2005-0420 - Open Redirect vulnerability in Microsoft Exchange Server 2003

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
CWE-601
nessus
exploit available
NVD
Published: 2005-04-27
Updated: 2020-04-09

Summary

Microsoft Outlook Web Access (OWA), when used with Exchange, allows remote attackers to redirect users to arbitrary URLs for login via a link to the owalogon.asp application.

Vulnerable Configurations

Part Description Count
Application
Microsoft
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fake the Source of Data
    An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

Exploit-Db

descriptionMicrosoft Outlook 2003 Web Access Login Form Remote URI Redirection Vulnerability. CVE-2005-0420. Webapps exploit for asp platform
idEDB-ID:25084
last seen2016-02-03
modified2005-02-07
published2005-02-07
reporterMorning Wood
sourcehttps://www.exploit-db.com/download/25084/
titleMicrosoft Outlook 2003 Web Access Login Form Remote URI Redirection Vulnerability

Nessus

NASL familyCGI abuses
NASL idOWA_SQLINJECT.NASL
descriptionThe remote host is running Microsoft Outlook Web Access (OWA) 2003. Due to a lack of sanitization of the user input, the remote version of this software is vulnerable to URL injection that can be exploited to redirect a user to a different, unauthorized web server after authenticating to OWA. This unauthorized site could be used to capture sensitive information by appearing to be part of the web application.
last seen2020-06-01
modified2020-06-02
plugin id17636
published2005-03-28
reporterThis script is Copyright (C) 2005-2018 Michael J. Richardson
sourcehttps://www.tenable.com/plugins/nessus/17636
titleMicrosoft Outlook Web Access (OWA) owalogon.asp Redirection Account Enumeration
code
#
# This script was written by Michael J. Richardson <[email protected]>
# Vulnerability identified by Donnie Werner of Exploitlabs Research Team
#

# Changes by Tenable:
# - Revised plugin title, changed family (5/21/09)
# - Replaced see_also that was 404 (9/1/10)

include("compat.inc");

if (description)
{
  script_id(17636);
  script_version ("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2005-0420");
  script_bugtraq_id(12459);

  script_name(english:"Microsoft Outlook Web Access (OWA) owalogon.asp Redirection Account Enumeration");
  script_summary(english:"The remote host is running Microsoft Outlook Web Access 2003 and is vulnerable to URL Injection.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a URL injection
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Microsoft Outlook Web Access (OWA) 2003. 

Due to a lack of sanitization of the user input, the remote version of
this software is vulnerable to URL injection that can be exploited to
redirect a user to a different, unauthorized web server after
authenticating to OWA.  This unauthorized site could be used to
capture sensitive information by appearing to be part of the web
application.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Feb/101");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Jul/483");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Microsoft Exchange Server 2007 as that reportedly
addresses the issue. 

Alternatively, edit the 'logon.asp' script used by OWA and hardcode a
value for 'redirectPath' in line 54.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/28");
  script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2020 Michael J. Richardson");
  script_family(english:"CGI abuses");

  script_dependencies("find_service1.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))
  exit(0);

req = http_get(item:string("/exchweb/bin/auth/owalogon.asp?url=http://12345678910"), port:port);
res = http_keepalive_send_recv(port:port, data:req);

if ( res == NULL ) exit(0);

if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string:res) &&  
   "owaauth.dll" >< res && 
   '<INPUT type="hidden" name="destination" value="http://12345678910">' >< res)
  {
    security_warning(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    exit(0);
  }

References