Security Scan has detected a flag on OWA 2003 I need some help to remediate
Hi,
We are having the following issue when running a 3rd party scan on the OWA servers Exchange 2003
This issue has been reported here as well but there was not solution provided:
http://social.technet.microsoft.com/Forums/en-US/exchangesvrcompliance/thread/ec51dd70-79f4-4877-93d7-71d9a08cac6c/
My server is up to date.
Here is the error from the scanner:
Syntax error occurred port 80/tcp
QID: 150022 CVSS Base: 7.5 PCI Severity:
Category: Web Application CVSS Temporal: 6.8
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 01/16/2009
THREAT:
A test payload generated a syntax error within the web application. This often points to a problem with input validation routines or lack of filters on
user-supplied content.
Scan Results page 62
IMPACT:
A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the web application.
SOLUTION:
The web application should restrict user-supplied to consist of a minimal set of characters necessary for the input field. Additionally, all content
received from the client (i.e. web browser) should be validated to an expected format or checked for malicious content.
RESULT:
url: https://xx.xx.xx.xx/exchweb/bin/auth/owalogon.asp?reason=%22%3e%3cqss%3e&url=https://xx.xx.xx.xx/exchange
variants: 31
matched: onload()
{
<font face="Arial" size=2>
<p>Microsoft VBScript runtime </font> <font face="Arial" size=2>error '800a000d'</font>
<p>
<font face="Arial" size=2>Type mismatch: '[st
We are having the following issue when running a 3rd party scan on the OWA servers Exchange 2003
This issue has been reported here as well but there was not solution provided:
http://social.technet.microsoft.com/Forums/en-US/exchangesvrcompliance/thread/ec51dd70-79f4-4877-93d7-71d9a08cac6c/
My server is up to date.
Here is the error from the scanner:
Syntax error occurred port 80/tcp
QID: 150022 CVSS Base: 7.5 PCI Severity:
Category: Web Application CVSS Temporal: 6.8
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 01/16/2009
THREAT:
A test payload generated a syntax error within the web application. This often points to a problem with input validation routines or lack of filters on
user-supplied content.
Scan Results page 62
IMPACT:
A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the web application.
SOLUTION:
The web application should restrict user-supplied to consist of a minimal set of characters necessary for the input field. Additionally, all content
received from the client (i.e. web browser) should be validated to an expected format or checked for malicious content.
RESULT:
url: https://xx.xx.xx.xx/exchweb/bin/auth/owalogon.asp?reason=%22%3e%3cqss%3e&url=https://xx.xx.xx.xx/exchange
variants: 31
matched: onload()
{
<font face="Arial" size=2>
<p>Microsoft VBScript runtime </font> <font face="Arial" size=2>error '800a000d'</font>
<p>
<font face="Arial" size=2>Type mismatch: '[st
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.