cbcvebase.
CVE-2008-1547
published 2008-10-21

CVE-2008-1547: Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote…

PriorityP432medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
45.93%
98.7th percentile
Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftexchange_server

Detection & IOCsextracted from sources · hover to see the quote

path/exchweb/bin/redir.asp
urlhttps://webmail.example.com/exchweb/bin/redir.asp?URL=http://www.example2.com
urlhttps://webmail.example.com/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.example2.com&reason=0
path/CookieAuth.dll
sigma
regex: '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
  • Detect open redirect exploitation attempts by monitoring HTTP requests to /exchweb/bin/redir.asp with an external URL supplied in the 'URL' query parameter.
  • Also monitor requests to /CookieAuth.dll?GetLogon with a URL parameter that encodes a redirect through /exchweb/bin/redir.asp to an external host, as this is a second known attack vector.
  • Look for HTTP Location response headers pointing to external domains following requests to /exchweb/bin/redir.asp, indicating a successful redirect to an attacker-controlled site.
  • Use Shodan/FOFA to identify exposed OWA instances as potential targets: search for http.title:"Outlook" or http.favicon.hash:1768726119.
  • ·The vulnerability is confirmed only in OWA for Exchange Server 2003 SP2 (build 6.5.7638); other versions may also be affected but are not confirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.