• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

Outlook Web Access Open Redirect PCI Scan Compliance

Windows Server 2003 Standard
Exchange 2003
A parameter has been identified that can be modified to redirect clients to a user controlled page. An attacker could potentially construct a URL that will redirect a victim to a site that they control. This type of attack is typical seen in phishing attacks where the user is presented with a valid link on the site (i.e. http://www.hackersafe.com/main.jsp?state=4&page=http://hackersafe-evilsite.com) and hackersafe.com redirects the user to hackersafe-evilsite.com (The site the attacker controls). The fact that the server name in the modified link is identical to the original site helps the attacker by giving his phishing attempts a more reliable appearance.
I understand disabling FBA will resolve this, is there any other way?
0
xpedia
Asked:
xpedia
  • 5
  • 3
1 Solution
 
LeeDerbyshireCommented:
ISTR that although this wasn't considered to be a serious issue (although it certainly is if it has been identified in your PCI scan) this was fixed in E2003 SP2.
0
 
xpediaAuthor Commented:
We are running Version 6.5 (Build 7638.2 Service Pack 2) on both front end servers and SP 2 on Windows 2003
0
 
xpediaAuthor Commented:
Sorry forgot to say thank you!
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LeeDerbyshireCommented:
There's some explanation (with some helpful MS input near the end) here:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.exchange.admin&tid=9426d192-3c1a-47d4-bdbb-8a10a0fb0923&cat=&lang=&cr=&sloc=&p=1

The problem with the scans, though, is that they assume that if the FBA logon page appears, then there is a problem.  I don't think they actually do an active test to see if the server is still vulnerable.
0
 
xpediaAuthor Commented:
Thanks LeeDerbyshire,
Rescanning with McAfee now to see what happens
0
 
xpediaAuthor Commented:
The link does provide a working solution, I tried it, but McAfee still says the vulnerability exists.
0
 
LeeDerbyshireCommented:
Yes, I think that the test will always assume that your server is vulnerable, even if you have applied a fix.  These test are too superficial, IMHO.  I don't think there is much chance of getting them to change the test, so your only other option would be to not use FBA :(
0
 
xpediaAuthor Commented:
Thanks LeeDerbyshire
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now