Paid Advertising
web application security lab
« SEO redirects continued
Using XSS to DoS China »

Outlook Web Access XSS exploit

Sec-Consult just released that Outlook web access has an XSS vulnerability in it.  They  say that they are going to hold onto the exploit code for 2 weeks before releasing it. $10 goes to whoever finds it first.  And yes, if you Sec-consult guys just want $10, let me know.  ;)

The implications may or may not be profound, depending on what the JavaScript has access to, and how the page is constructed.  I’ll refrain from commenting more before seeing the actual working exploit code, but it sounds bad, however it ends up working.  Nothing like reading people’s corporate mail remotely.  Sounds like an industrial espionage dream come true.

This entry was posted on Wednesday, June 14th, 2006 at 12:08 pm and is filed under XSS, Webappsec. You can leave a response as well.

5 Responses to “Outlook Web Access XSS exploit”

  1. Sven Vetsch / Disenchant Says:
    June 22nd, 2006 at 5:51 am

    Hi RSnake
    I’ve found something :)

    I’m sure it’s not the vulnerability which was found by the Sec-Consult guys and it isn’t really dangerous at all.

    You only have to set your User-Agent to an XSS-String (like alert(123);) and then go to https://[hostname]/exchweb/bin/GER/logoff.asp (or click on logout :P) and it will be executed :)
    (it’s a https-connection so you have to be logged in first)

    So, you can save your money because you wrote “whoever finds it first” and as I said it’s not this vuln. (it’s more a Bug then a vuln). At moment I hadn’t much time to do some security research on Outlook Web access but in the little time I spend on this I found some interesting effects on how it decodes code and where you can set which “option”. If I have the time I’ll do some more research and if I find something you’ll hear about.

    PS: Tested on version 2000

  2. Sven Vetsch / Disenchant Says:
    June 22nd, 2006 at 5:54 am

    The nasty blog killed the Script-Tags in my example before. You have use them around your XSS :)

  3. RSnake Says:
    June 22nd, 2006 at 8:02 am

    Thanks, Sven, and I’d agree… that’s a pretty bizarre set of circumstances to cause that… not exactly remotely exploitable, and although poor coding practice, it’s certainly not exploitable. Interesting though. I wonder if that’s what they were talking about.

  4. Bill Beaver Says:
    June 22nd, 2006 at 8:18 am

    Im sure that the guys from SEC Consult earn at least 12 to 15 USD per month :-)

  5. RSnake Says:
    June 22nd, 2006 at 8:45 am

    I’m not a wealthy man. Anyone want to chip in the remaining $2-5? As a bonus, I’ll throw in a really crappy pen I found on the floor at work. It writes terribly and has some chew marks in it.

Leave a Reply Or Discuss On the Forums