Thread-topic: [SA20634] Microsoft Exchange Server Outlook Web Access Script Insertion
>
> TITLE:
> Microsoft Exchange Server Outlook Web Access Script Insertion
>
> SECUNIA ADVISORY ID:
> SA20634
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/20634/
>
> CRITICAL:
> Moderately critical
>
> IMPACT:
> Cross Site Scripting
>
> WHERE:
> From remote
>
> SOFTWARE:
> Microsoft Exchange Server 2003
> http://secunia.com/product/1828/
> Microsoft Exchange Server 2000
> http://secunia.com/product/41/
>
> DESCRIPTION:
> A vulnerability has been reported in Microsoft Exchange Server, which
> can be exploited by malicious people to conduct script insertion
> attacks.
>
> The vulnerability is caused due to an error within the Microsoft
> Outlook Web Access (OWA) service when filtering scripts in e-mail
> messages. This can be exploited to insert arbitrary HTML and script
> code, which is executed in a user's browser session in context of an
> affected site when a malicious e-mail message is viewed.
>
> SOLUTION:
> Apply patches.
>
> Microsoft Exchange 2000 with Post-Service Pack 3 Update Rollup of
> August 2004:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=746CE
> 64E-3186-422B-A13B-004E7942189B
>
> Microsoft Exchange Server 2003 SP1:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=0E192
> 781-847F-41C1-B32A-84218DB60942
>
> Microsoft Exchange Server 2003 SP2:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=C777B
> C9F-52B7-4F17-96C7-DAF3B9987D70
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits Daniel Fabian, SEC Consult.
>
> ORIGINAL ADVISORY:
> MS06-029 (KB912442):
> http://www.microsoft.com/technet/security/Bulletin/MS06-029.mspx
>