CVE-2008-1547
published 2008-10-21CVE-2008-1547: Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote…
PriorityP432medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
45.93%
98.7th percentile
Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://webmail.example.com/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.example2.com&reason=0↗
sigma↗
regex: '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
- →Detect open redirect exploitation attempts by monitoring HTTP requests to /exchweb/bin/redir.asp with an external URL supplied in the 'URL' query parameter. ↗
- →Also monitor requests to /CookieAuth.dll?GetLogon with a URL parameter that encodes a redirect through /exchweb/bin/redir.asp to an external host, as this is a second known attack vector. ↗
- →Look for HTTP Location response headers pointing to external domains following requests to /exchweb/bin/redir.asp, indicating a successful redirect to an attacker-controlled site. ↗
- →Use Shodan/FOFA to identify exposed OWA instances as potential targets: search for http.title:"Outlook" or http.favicon.hash:1768726119. ↗
- ·The vulnerability is confirmed only in OWA for Exchange Server 2003 SP2 (build 6.5.7638); other versions may also be affected but are not confirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp' Open Redirection
exploitdb·2008-10-15
CVE-2008-1547 Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp' Open Redirection
Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp' Open Redirection
---
source: https://www.securityfocus.com/bid/31765/info
Outlook Web Access is prone to a remote URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks.
OWA 6.5 SP 2 is vulnerable; other versions may also be affected.
https://webmail.example.com/exchweb/bin/redir.asp?URL=http://www.example2.com
https://webmail.example.com/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.example2.com&reason=0
Nuclei
Microsoft OWA Exchange Server 2003 - 'redir.asp' Open Redirection
nuclei·CVSS 4.3
CVE-2008-1547 [MEDIUM] Microsoft OWA Exchange Server 2003 - 'redir.asp' Open Redirection
Microsoft OWA Exchange Server 2003 - 'redir.asp' Open Redirection
Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter.
Template:
id: CVE-2008-1547
info:
name: Microsoft OWA Exchange Server 2003 - 'redir.asp' Open Redirection
author: ctflearner
severity: medium
description: |
Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter.
impact: |
An attacker can exploit this
http://securityreason.com/securityalert/4441http://www.securityfocus.com/archive/1/497374/100/0/threadedhttp://www.securityfocus.com/archive/1/497390/100/0/threadedhttp://www.securityfocus.com/archive/1/497433/100/0/threadedhttp://www.securityfocus.com/archive/1/497500/100/0/threadedhttp://www.securityfocus.com/archive/1/497534/100/0/threadedhttp://www.securityfocus.com/bid/31765https://exchange.xforce.ibmcloud.com/vulnerabilities/46061http://securityreason.com/securityalert/4441http://www.securityfocus.com/archive/1/497374/100/0/threadedhttp://www.securityfocus.com/archive/1/497390/100/0/threadedhttp://www.securityfocus.com/archive/1/497433/100/0/threadedhttp://www.securityfocus.com/archive/1/497500/100/0/threadedhttp://www.securityfocus.com/archive/1/497534/100/0/threadedhttp://www.securityfocus.com/bid/31765https://exchange.xforce.ibmcloud.com/vulnerabilities/46061
2008-10-21
Published