Skip navigation

Fixing an OWA Vulnerability


I just heard about a vulnerability in Outlook Web Access (OWA) that can redirect users to malicious Web sites. Can you tell me more about this problem and whether I should be worried?

The vulnerability (which I first saw reported in early February 2005 by ExploitLabs' Donnie Werner) is real, but whether it's a cause for concern is a matter of some debate. Here's the lowdown: It's possible to inject a URL into the OWA logon mechanism so that the OWA logon page redirects users to the injected URL when the users log on. You might think that users would notice if their OWA session suddenly pointed them someplace else, but given the prevalence and success of phishing attacks, I wouldn't bet on it.

There's no way to fix this behavior from within Exchange Server; the OWA logon mechanism depends on URL redirection to accomplish its work. Microsoft has said that it will fix the problem in the next release of Exchange, but in the meantime, you can modify the code in logon.asp to force the logon page to redirect users to Exchange even if another URL is injected into the logon mechanism. Exchange MVP Siegfried Weber wrote the code that Listing 1 shows, which you can insert in logon.asp immediately after the block that begins if redirectPath = "")—at about line 80. This code replaces any existing redirect URL with one that points to the Exchange server's /exchange virtual directory. If you apply this fix, remember that it might be overwritten when you install Exchange service packs.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.