Solved

Security Scan has detected a flag on OWA 2003 I need some help to remediate

Posted on 2011-09-16
1
1,166 Views
Last Modified: 2012-06-27
Hi,

We are having the following issue when running a 3rd party scan on the OWA servers Exchange 2003

This issue has been reported here as well but there was not solution provided:

http://social.technet.microsoft.com/Forums/en-US/exchangesvrcompliance/thread/ec51dd70-79f4-4877-93d7-71d9a08cac6c/

My server is up to date.

Here is the error from the scanner:

Syntax error occurred port 80/tcp

QID: 150022 CVSS Base: 7.5 PCI Severity:

Category: Web Application CVSS Temporal: 6.8

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 01/16/2009

THREAT:

A test payload generated a syntax error within the web application. This often points to a problem with input validation routines or lack of filters on

user-supplied content.

Scan Results page 62

IMPACT:

A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the web application.

SOLUTION:

The web application should restrict user-supplied to consist of a minimal set of characters necessary for the input field. Additionally, all content

received from the client (i.e. web browser) should be validated to an expected format or checked for malicious content.

RESULT:

url: https://xx.xx.xx.xx/exchweb/bin/auth/owalogon.asp?reason=%22%3e%3cqss%3e&url=https://xx.xx.xx.xx/exchange

variants: 31

matched: onload()

{

<font face="Arial" size=2>

<p>Microsoft VBScript runtime </font> <font face="Arial" size=2>error '800a000d'</font>

<p>

<font face="Arial" size=2>Type mismatch: '[st


0
Comment
Question by:llarava
1 Comment
 
LVL 26

Accepted Solution

by:
e_aravind earned 500 total points
ID: 36559101
From the social technet:
===============
>> Also I want to recommend you if there is no error after you run ExBPA, we can assume Exchange is in health state. We can just ignore the error.

From your Question:
=============

IMPACT:

A malicious user may be able to create a denial of service, serious error, or exploit depending on the error encountered by the web application.

SOLUTION:

The web application should restrict user-supplied to consist of a minimal set of characters necessary for the input field. Additionally, all content

received from the client (i.e. web browser) should be validated to an expected format or checked for malicious content

>> so if needed for the iis6.0 you can have the urlscan to control the content-length ...but that needs a lot of additional over-head


Normally we can ignore this...with the hope that iis6.0 will handle the DOS attack
http://support.microsoft.com/kb/307608
http://technet.microsoft.com/en-us/security/cc242650
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
how to add IIS SMTP to handle application/Scanner relays into office 365.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question