CGI Generic SQL Injection (blind, time based) - Exchange vulnerability
Posted on 2016-09-06
We have used Nessus to scan for vulnerabilities on our externally facing Exchange 2013 server and it has reported the following:
CGI Generic SQL Injection (blind, time based)
Test Id: 43160
Severity:3 / High
Description: By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a slower response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. Note that this script is experimental and may be prone to false positives.
I can't see any further information or find any fix, does anyone know specifically what this is referring too and if so what we can do to resolve it (closing ports 80 + 443 isn't an option).
Exchange V15.0 Build - 1130.7