Outlook Web App (OWA) 2013 - Possible SQL Injection

I recently had a pen test and one of the findings was our OWA (exchange 2013) is vulnerable to "Possible SQL Injection". Our pen tester recommends us to download the latest login dialog applet from Microsoft or recompile the web code against the v4.5 or later .NET framework. I am not able to find any download in Microsoft nor can I find any information regarding vulnerability or how to remediate it.

Has anyone encounter this issue before or know how to secure the OWA's logon page from SQL Injection? I read somewhere that it is not recommended to edit Microsoft's code.
snoopy514usAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You don't even have access to the original MS code so how are you going to edit it. You (as a user) are more into patching it if there are vulnerabilities identified. From the CVE details on OWA (1) and Exchange (2), there isn't mention on SQLi but there are others including XSS. Patching will resolve most of the finding and putting a WAF (3) also help in the reduce exposure.

1 https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-5076/Microsoft-Outlook-Web-Access.html
2 https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-194/Microsoft-Exchange-Server.html
3 https://support.citrix.com/article/CTX201989

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
I recently had a pen test and one of the findings was our OWA (exchange 2013) is vulnerable to "Possible SQL Injection". Our pen tester recommends us to download the latest login dialog applet from Microsoft or recompile the web code against the v4.5 or later .NET framework. I am not able to find any download in Microsoft nor can I find any information regarding vulnerability or how to remediate it.
How many Microsoft customers actually have access to code? This one should've been common sense on the pen tester's part.

You should have a solid patching strategy. And like btan mentioned previously, you should have a WAF in place. If you have a plan to move to 365, you can implement MFA when you get there. (Plus you're no longer responsible for patching mail servers)
snoopy514usAuthor Commented:
Thank you btan and  masnrock for the quick responses!

I have also looked at the CVEs in OWA and Exchange previously also and did not find anything on the SQL Injection along with other resources but was not able to find anything regarding it. Which made me question if it is a Microsoft issue that requires patching or reaching out to them. So I applied the updates and patches.

Correct me if I am wrong, Isn't it possible to access the path to edit the login pages and the scripts located "c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon.aspx" and "c:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\15.0.1395.3\scripts\premium" in exchange 2013 server?
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

masnrockCommented:
Did the pen tester tell you WHICH vulnerability? I remember that there are CVEs that call out HTML injection. (Clearly doesn't negate the need for patching)
snoopy514usAuthor Commented:
For which vulnerability it was not provided nor stated. As the pen tester was using OWASP ZAP, with the result being High - "Possible SQL Injection" and CWE Id 89, WASC Id 19, and Source ID 1.
masnrockCommented:
Then yes, WAF would help big time with that. You can filter out a lot of SQL injection attempts at that level.
btanExec ConsultantCommented:
I don't see why user can access the host path to get I to those pages and tamper without unless there are some sort of injection weakness or access is gained through some privilege accounts remotely
snoopy514usAuthor Commented:
You are right, users cannot access the host path. However, since I have a privileged account (administrator) I am able to access the Exchange 2013 server, which is hosting the OWA.

Even though with access, it sounds like we are not supposed to tamper with Microsoft's OWA codes, as it should be secured with patches and updates. Correct?
btanExec ConsultantCommented:
Yes. If you can't control those code changes as not the owner of it, you can only accept the risk if you are still using them. Code deployed would have gone through code scan and review to catch obvious poor input validation to prevent such inject attack.
snoopy514usAuthor Commented:
Thank you both for your input and help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.