Outlook Web Access Open Redirect PCI Scan Compliance

Windows Server 2003 Standard
Exchange 2003
A parameter has been identified that can be modified to redirect clients to a user controlled page. An attacker could potentially construct a URL that will redirect a victim to a site that they control. This type of attack is typical seen in phishing attacks where the user is presented with a valid link on the site (i.e. http://www.hackersafe.com/main.jsp?state=4&page=http://hackersafe-evilsite.com) and hackersafe.com redirects the user to hackersafe-evilsite.com (The site the attacker controls). The fact that the server name in the modified link is identical to the original site helps the attacker by giving his phishing attempts a more reliable appearance.
I understand disabling FBA will resolve this, is there any other way?
LVL 1
xpediaAsked:
Who is Participating?
 
LeeDerbyshireConnect With a Mentor Commented:
Yes, I think that the test will always assume that your server is vulnerable, even if you have applied a fix.  These test are too superficial, IMHO.  I don't think there is much chance of getting them to change the test, so your only other option would be to not use FBA :(
0
 
LeeDerbyshireCommented:
ISTR that although this wasn't considered to be a serious issue (although it certainly is if it has been identified in your PCI scan) this was fixed in E2003 SP2.
0
 
xpediaAuthor Commented:
We are running Version 6.5 (Build 7638.2 Service Pack 2) on both front end servers and SP 2 on Windows 2003
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
xpediaAuthor Commented:
Sorry forgot to say thank you!
0
 
LeeDerbyshireCommented:
There's some explanation (with some helpful MS input near the end) here:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.exchange.admin&tid=9426d192-3c1a-47d4-bdbb-8a10a0fb0923&cat=&lang=&cr=&sloc=&p=1

The problem with the scans, though, is that they assume that if the FBA logon page appears, then there is a problem.  I don't think they actually do an active test to see if the server is still vulnerable.
0
 
xpediaAuthor Commented:
Thanks LeeDerbyshire,
Rescanning with McAfee now to see what happens
0
 
xpediaAuthor Commented:
The link does provide a working solution, I tried it, but McAfee still says the vulnerability exists.
0
 
xpediaAuthor Commented:
Thanks LeeDerbyshire
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.