Outlook Web App (OWA) 2013 - Possible SQL Injection

snoopy514us
snoopy514us used Ask the Experts™
on
I recently had a pen test and one of the findings was our OWA (exchange 2013) is vulnerable to "Possible SQL Injection". Our pen tester recommends us to download the latest login dialog applet from Microsoft or recompile the web code against the v4.5 or later .NET framework. I am not able to find any download in Microsoft nor can I find any information regarding vulnerability or how to remediate it.

Has anyone encounter this issue before or know how to secure the OWA's logon page from SQL Injection? I read somewhere that it is not recommended to edit Microsoft's code.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
You don't even have access to the original MS code so how are you going to edit it. You (as a user) are more into patching it if there are vulnerabilities identified. From the CVE details on OWA (1) and Exchange (2), there isn't mention on SQLi but there are others including XSS. Patching will resolve most of the finding and putting a WAF (3) also help in the reduce exposure.

1 https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-5076/Microsoft-Outlook-Web-Access.html
2 https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-194/Microsoft-Exchange-Server.html
3 https://support.citrix.com/article/CTX201989
Distinguished Expert 2018

Commented:
I recently had a pen test and one of the findings was our OWA (exchange 2013) is vulnerable to "Possible SQL Injection". Our pen tester recommends us to download the latest login dialog applet from Microsoft or recompile the web code against the v4.5 or later .NET framework. I am not able to find any download in Microsoft nor can I find any information regarding vulnerability or how to remediate it.
How many Microsoft customers actually have access to code? This one should've been common sense on the pen tester's part.

You should have a solid patching strategy. And like btan mentioned previously, you should have a WAF in place. If you have a plan to move to 365, you can implement MFA when you get there. (Plus you're no longer responsible for patching mail servers)

Author

Commented:
Thank you btan and  masnrock for the quick responses!

I have also looked at the CVEs in OWA and Exchange previously also and did not find anything on the SQL Injection along with other resources but was not able to find anything regarding it. Which made me question if it is a Microsoft issue that requires patching or reaching out to them. So I applied the updates and patches.

Correct me if I am wrong, Isn't it possible to access the path to edit the login pages and the scripts located "c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon.aspx" and "c:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\15.0.1395.3\scripts\premium" in exchange 2013 server?
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Distinguished Expert 2018

Commented:
Did the pen tester tell you WHICH vulnerability? I remember that there are CVEs that call out HTML injection. (Clearly doesn't negate the need for patching)

Author

Commented:
For which vulnerability it was not provided nor stated. As the pen tester was using OWASP ZAP, with the result being High - "Possible SQL Injection" and CWE Id 89, WASC Id 19, and Source ID 1.
Distinguished Expert 2018

Commented:
Then yes, WAF would help big time with that. You can filter out a lot of SQL injection attempts at that level.
btanExec Consultant
Distinguished Expert 2018

Commented:
I don't see why user can access the host path to get I to those pages and tamper without unless there are some sort of injection weakness or access is gained through some privilege accounts remotely

Author

Commented:
You are right, users cannot access the host path. However, since I have a privileged account (administrator) I am able to access the Exchange 2013 server, which is hosting the OWA.

Even though with access, it sounds like we are not supposed to tamper with Microsoft's OWA codes, as it should be secured with patches and updates. Correct?
btanExec Consultant
Distinguished Expert 2018

Commented:
Yes. If you can't control those code changes as not the owner of it, you can only accept the risk if you are still using them. Code deployed would have gone through code scan and review to catch obvious poor input validation to prevent such inject attack.

Author

Commented:
Thank you both for your input and help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial