On my previous post about OWA XSS I talked about Cross Site Scripting in the attachment field of a mail. The XSS is not in the attachment, is in the body of the message. Sorry, I need to sleep... Please notice: not in the attachment, in the BODY. To make it clear to understand I have just published on my site (www.infohacking.com) a report explaining how to reproduce this bug on a real environment with a proof of concept exploit. Our code is able to exploit the XSS on the Outlook Web Access to show the user cookie and the Windows domain, username and password in cleartext. Have fun! Hugo Vázquez Caramés & Toni Cortés Martínez Infohacking Research 2003 Barcelona Spain
