Signature Detail

HTTP: Outlook Web Access Login Redirection

This signature detects attempts to exploit a known vulnerability in Microsoft Outlook Web Access that ships with Microsoft Exchange Server. Attackers can create a malicious link that, when accessed, can trick users into believing they are logging into their mail server, but instead their login information is being redirected to a Web site of the attacker's choice. Attackers can obtain user OWA login credentials, which are usually the same as NT Domain logins, enabling attackers to access the domain with the stolen user credentials.

Extended Description

A remote URI-redirection vulnerability affects Microsoft Outlook Web Access. This issue occurs because the application fails to properly sanitize URI-supplied data. An attacker may leverage this issue to carry out convincing phishing attacks against unsuspecting users by causing an arbitrary page to be loaded when the Microsoft Outlook Web Access login form is submitted.

Affected Products

• Microsoft exchange_server_2003 SP1
• Microsoft exchange_server_2003

References

• BugTraq: 12459
• CVE: CVE-2005-0420
• URL: http://www.symantec.com/avcenter/attack_sigs/s21208.html
• URL: http://exploitlabs.com/files/advisories/EXPL-A-2005-001-owa.txt