Solved

Security Scan has detected a flag on OWA 2003 I need some help to remediate

Posted on 2011-09-16
1
1,152 Views
Last Modified: 2012-06-27
Hi,

We are having the following issue when running a 3rd party scan on the OWA servers Exchange 2003

This issue has been reported here as well but there was not solution provided:

http://social.technet.microsoft.com/Forums/en-US/exchangesvrcompliance/thread/ec51dd70-79f4-4877-93d7-71d9a08cac6c/

My server is up to date.

Here is the error from the scanner:

Syntax error occurred port 80/tcp

QID: 150022 CVSS Base: 7.5 PCI Severity:

Category: Web Application CVSS Temporal: 6.8

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 01/16/2009

THREAT:

A test payload generated a syntax error within the web application. This often points to a problem with input validation routines or lack of filters on

user-supplied content.

Scan Results page 62

IMPACT:

A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the web application.

SOLUTION:

The web application should restrict user-supplied to consist of a minimal set of characters necessary for the input field. Additionally, all content

received from the client (i.e. web browser) should be validated to an expected format or checked for malicious content.

RESULT:

url: https://xx.xx.xx.xx/exchweb/bin/auth/owalogon.asp?reason=%22%3e%3cqss%3e&url=https://xx.xx.xx.xx/exchange

variants: 31

matched: onload()

{

<font face="Arial" size=2>

<p>Microsoft VBScript runtime </font> <font face="Arial" size=2>error '800a000d'</font>

<p>

<font face="Arial" size=2>Type mismatch: '[st


0
Comment
Question by:llarava
1 Comment
 
LVL 26

Accepted Solution

by:
e_aravind earned 500 total points
ID: 36559101
From the social technet:
===============
>> Also I want to recommend you if there is no error after you run ExBPA, we can assume Exchange is in health state. We can just ignore the error.

From your Question:
=============

IMPACT:

A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the web application.

SOLUTION:

The web application should restrict user-supplied to consist of a minimal set of characters necessary for the input field. Additionally, all content

received from the client (i.e. web browser) should be validated to an expected format or checked for malicious content

>> so if needed for the iis6.0 you can have the urlscan to control the content-length ...but that needs a lot of additional over-head


Normally we can ignore this...with the hope that iis6.0 will handle the DOS attack
http://support.microsoft.com/kb/307608
http://technet.microsoft.com/en-us/security/cc242650
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now