In order for us to become PCI DSS Compliance, an audit must be completed and the following issue is of major concern: The remote web server is vulnerable to a URL injection vulnerability. Description : The remote host is running Microsoft Outlook Web Access 2003. Due to a lack of sanitization of the user input, the remote version of this software is vulnerable to URL injection which can be exploited to redirect a user to a different, unauthorized web server after authenticating to OWA. This unauthorized site could be used to capture sensitive information by appearing to be part of the web application. Per Exploitlabs, the following info is posted: ========A vulnerability in Microsoft Outlook Web Access allows maliciousattackers to redirect the login to any URL they wish.This allows the attacker to force the user to the site of theattackers choosing enabling the attacker to use social engeneringand phishing style of attacks.AFFECTED PRODUCTS=================Microsoft Outlook Web Access ( OWA )Windows 2003 SOLUTION========Microsoft was contacted on Jan 20, 2005NO patch has been produced to correct the vulnerability.They have issued the following: on Jan 21, 2005 vendor response 1-----------------Hello,Thanks very much for contacting us. We have investigated reports of thisbehavior in the past and plan to fix it in the next major release ofExchange. Please let me know if you have further questions. My question is, has this issue been addressed in OWA for Exchange 2003? IF so, how? and If not, has it been addressed in Exchange 2007?

I noticed that the orignal message was from 2005, has Microsoft made any headway in fixing this problem. I am faced with several options none of which are doable by the end of the week.

I would also like an answer on this one. It seems the CVSS score was recently increased on this vulnerability. Microsoft had issued patches for other Exchange 2003 and OWA vulnerabilities that were posted in 2006, so I'd be curious to know why this one from 2005 was not fixed. Can anyone confirm if this is still a vulnerability with Exchange 2003 running all the latest patches? Thanks. Paul

This is a BUMP and a confirm that an Exchange server with all the current patches still exhibits this behavior... I'm also looking for a fix to this as well. BTW, turning off Forms Based Authentication fixes this PCI hole.

I posted this on another thread , but thought it was worth repeating here in case a search sends people here, and not to the other thread. Hi All - I know this is an oldie but a goodie... or baddie as the case may be, but I thought I would update this with some information we learned following our own PCI audit. A manual workaround can be implemented to remove the capability for users to provide a redirect URL via the FBA (Form Based Authentication) QueryString. Navigate to '\Exchsrvr\exchweb\bin\auth\usa' Back up logon.asp Edit logon.asp; change the redirectPath variable on line 54 to your OWA path. It should be edited to be similar to the following example: redirectPath = "http://email.yoursite.com/exchange/" rather than the default, which looks like redirectPath = Request.QueryString("url") Close and save logon.asp Modify and use a URL with the redirect in it (example: http://email.yoursite.com/exchweb/bin/auth/owalogon.asp?url=http://www.microsoft.com/) to verify that arbitrary redirection has been disabled. If the workaround was successful you should not be redirected to microsoft.com. Also, turning off forms-based auth works like a charm too.

When we try this, it redirects us ALWAYS to the logon prompt. Which seems like it should because your setting the redirectpath.So, if you try to logon, your redirected to the logon page.Within IIS we set it up to redirect to a custom logon page and I suspect it detects every post as a redirect and thus the PCI 'workaround' (I won't call it a fix!) breaks our OWA.Any ideas?

oops

The only "workaround" is to disable Forms-Authentication.

When the Forms-Authentication is disabled, one cannot login at all. What is going on? It keeps popping up the login and password window. Any ideas? I have tried domain\username and without domain just username and still does not work.