-
February 15th, 2005, 02:13 PM
#1
For the OWA Admins out there.
There is a vulnerability out there that allows a malicious person to redirect your users away from your trusted site to another that appears to be a "normal" login screen. The user login obviously "fails" and the user is then redirected back to the trusted server's login screen. Obviously, in the meantime, the user's login credentials have been hijacked.
Source
Since this requires a user to click on or cut and paste a malformed url the current mitigation is to instruct all users not to, under any circumstances, follow links to their OWA that are sent to them or that appear on any web page except, maybe on the corporate intranet if you link them there.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 15th, 2005, 03:19 PM
#2
Or use server certificate for your OWA.
-
February 16th, 2005, 02:27 PM
#3
Ok.... Now, correct me if I am wrong.....
I just ran the following test in Firefox....
I requested the following url with Ethereal running:-
http://www.yahoo.com@www.antionline.com
The DNS request was for www.antionline.com and the redirection was about to work but Firefox popped up and told me that this was suspicious and that I might be being redirected. If I said "Yes" it took me to AO but popped up another message telling me I'm trying to log into AO with the username www.yahoo.com and the site doesn't require auth.......
Ok, that aside.... Since it's the browser that's being conned into the redirection how would the certificate be of use? The certificate, in this case, would be for www.yahoo.com but the browser is going to www.antionline.com so, as far as the browser is concerned, the certificate would be irrelevant.
Or am I missing something?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 16th, 2005, 03:18 PM
#4
I get invalid syntax error while I try your link with your @ in it when I use IE. I know IE block most URL with @ now. Before the @ was use to answer a login and password directly in the hyperlink.
-
February 16th, 2005, 03:59 PM
#5
Using that logic the certificate would be irrelevent in this case.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
February 16th, 2005, 04:20 PM
#6
Does this effect all OWA installations, or just 2003 ? (Couldnt tell from the posted link).
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!
-
February 16th, 2005, 04:25 PM
#7
Senior Member
The certificate would actually be for the OWA site and not yahoo.
I just tested this with my OWA implementation which uses SSL cert issued by our own internal CA. Since both my Firefox browser accepts certs from our CA, I was taken directly to the site. I tried this on a test box and IE stopped the redirection, Firefox popped up the warning about being redirected. That warning from Firefox is a good or bad thing as we all know how well most users *read* things before the simply click "OK". I like the fact that it actually said something rather than simply stopping me, again though most users don't read that stuff unfortunately. Anyway, I did not install my CA certificate on this test box and Firefox popped up a warning about not knowing who issued my OWA cert.
just making some minor adjustments to your system....
-
February 16th, 2005, 04:30 PM
#8
Thanks for the info Tiger. If I read correctly, the attacker has to know the url of the OWA server before starting the fun. This fact may actually slow down the madness and may explain why MS has not reacted very quickly. They're currently on my **** list since I reported a huge security hole in Group Policy yet they are playing a word game with me over the issue. They define something one way, blah, blah...
Anyway, now that I'm off topic completely, I better crawl back in my hole.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
February 16th, 2005, 04:38 PM
#9
Am I missing something? This isn't redirection but the same as ftp://username@somesite and, as SDK pointed out, is "fixed" to prevent url spoofing.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 16th, 2005, 05:00 PM
#10
Nevermind... Unless there is a valid asp page at the target end the redirection doesn't work so the certificate would function as it was intended.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|