[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] re: Microsoft Outlook Web Access URL Injection

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] re: Microsoft Outlook Web Access URL Injection
From: "morning_wood" <se_cur_ity@xxxxxxxxxxx>
Date: Mon, 7 Feb 2005 09:27:25 -0800

looks like MS is NOT publicly releasing a fix for this, while they have the
means and solution at hand.
( at least under IE )
a kind reader sent this little snippet...

"... was able to get Microsoft to provide us with a DLL
to drop under IIS 6 to compare URL variable against the Host: header
variable and do 302 to web root if they are not similar.  This fixed the
problem, however, I doubt that Microsoft will make this patch available to
the public."

what happend to MS commitment to security???


ugg,

m.w
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] re: Microsoft Outlook Web Access URL Injection
  - From: Valdis . Kletnieks

Prev by Date: Re: [Full-Disclosure] Administrivia: Goodbye
Next by Date: Re: [Full-Disclosure] Administrivia: Goodbye
Previous by thread: [Full-Disclosure] DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG buffer overflow'
Next by thread: Re: [Full-Disclosure] re: Microsoft Outlook Web Access URL Injection
Index(es):
- Date
- Thread