URL redirection flaw unpatched by Microsoft

This is a kind of phishing attack, that confuses user to think that URL  (Web address) specified in their email is a legitimate but actually redirecting them to a fake website. This is well explained in this URL Redirection Flaw link. What we are going to refer now is an unpatched URL redirection flaw in Microsoft Product,  Microsoft Outlook Web Access in short OWA.

http://<server>/exchweb/bin/auth/owalogon.asp?url=http://www.fakesite.com

This weakness is because of the design flaw of OWA using parameter URL= to redirect the website to inner pages after successful authentication.So a malicious person can use this trick to redirect the user to a fake website. This is reported to Microsoft on 2005 and no patches are released so far.

Ref: secunia-SA14144

2 thoughts on “URL redirection flaw unpatched by Microsoft

  1. Pingback: URL

Leave a Reply