For the OWA Admins out there.
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: For the OWA Admins out there.

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    For the OWA Admins out there.

    There is a vulnerability out there that allows a malicious person to redirect your users away from your trusted site to another that appears to be a "normal" login screen. The user login obviously "fails" and the user is then redirected back to the trusted server's login screen. Obviously, in the meantime, the user's login credentials have been hijacked.

    Source

    Since this requires a user to click on or cut and paste a malformed url the current mitigation is to instruct all users not to, under any circumstances, follow links to their OWA that are sent to them or that appear on any web page except, maybe on the corporate intranet if you link them there.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Or use server certificate for your OWA.
    -Simon \"SDK\"

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok.... Now, correct me if I am wrong.....

    I just ran the following test in Firefox....

    I requested the following url with Ethereal running:-

    http://www.yahoo.com@www.antionline.com

    The DNS request was for www.antionline.com and the redirection was about to work but Firefox popped up and told me that this was suspicious and that I might be being redirected. If I said "Yes" it took me to AO but popped up another message telling me I'm trying to log into AO with the username www.yahoo.com and the site doesn't require auth.......

    Ok, that aside.... Since it's the browser that's being conned into the redirection how would the certificate be of use? The certificate, in this case, would be for www.yahoo.com but the browser is going to www.antionline.com so, as far as the browser is concerned, the certificate would be irrelevant.

    Or am I missing something?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I get invalid syntax error while I try your link with your @ in it when I use IE. I know IE block most URL with @ now. Before the @ was use to answer a login and password directly in the hyperlink.
    -Simon \"SDK\"

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Using that logic the certificate would be irrelevent in this case.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Does this effect all OWA installations, or just 2003 ? (Couldnt tell from the posted link).
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  7. #7
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    The certificate, in this case, would be for www.yahoo.com
    The certificate would actually be for the OWA site and not yahoo.

    I just tested this with my OWA implementation which uses SSL cert issued by our own internal CA. Since both my Firefox browser accepts certs from our CA, I was taken directly to the site. I tried this on a test box and IE stopped the redirection, Firefox popped up the warning about being redirected. That warning from Firefox is a good or bad thing as we all know how well most users *read* things before the simply click "OK". I like the fact that it actually said something rather than simply stopping me, again though most users don't read that stuff unfortunately. Anyway, I did not install my CA certificate on this test box and Firefox popped up a warning about not knowing who issued my OWA cert.
    just making some minor adjustments to your system....

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Thanks for the info Tiger. If I read correctly, the attacker has to know the url of the OWA server before starting the fun. This fact may actually slow down the madness and may explain why MS has not reacted very quickly. They're currently on my **** list since I reported a huge security hole in Group Policy yet they are playing a word game with me over the issue. They define something one way, blah, blah...

    Anyway, now that I'm off topic completely, I better crawl back in my hole.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Tiger Shark
    http://www.yahoo.com@www.antionline.com
    Am I missing something? This isn't redirection but the same as ftp://username@somesite and, as SDK pointed out, is "fixed" to prevent url spoofing.

    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Nevermind... Unless there is a valid asp page at the target end the redirection doesn't work so the certificate would function as it was intended.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •