I am working on a client's PCI compliance. One of the failing items is:
3.1.4. Blind SQL Injection (httpgenericscriptblindsqlinjection)
The offered solutions is simply:
"Ensure that the Web application validates and encodes user input before using it in a SQL query."
It appears to be related to OWA as it sites:
"Found blind SQL injection on http:///owa/?P=+ADwscript+ AD4alert(42)+ADw/ script+AD4 using method GET"
Does anyone know how to fix this particular issue?
Best Answer
I think that the term "SQL Injection" is leading you astray here. What they're actually describing is a XSS (Cross-Site Scripting) attack.
You can read about this specific vulnerability here: http://msdn.microsoft.com/en-us/library/dd565635%28v=vs.85%29.aspx
Basically,
http:///owa/?P=+ADwscript+ AD4alert(42)+ADw/ script+AD4is somewhere returning the exact input, totally un-sanitised, on a document that does not specifcy its encoding type.This means that that code is actually rendered and parsed by your browser as
<script>alert(42)</script>which shows a popup "42" when loaded.This particular script is not very naughty, but you could do some really malicious things to peoples accounts if you redirected them to that URL on your server. Like embedding a nasty JS file from your server that hijacks all inputs on the page, or inserts a virus into the page, etc.
However, I cannot find any indication that OWA has any of these vulnerabilities, so I can only assume that your OWA server is running something else that has this vulnerability.
I just tried this exploit against an Exchange 2010 server we have here and it doesn't do anything. If this is an SBS 2011 machine as your tags seem to indicate, then normally remote access/owa sites only run under the
/remote/folder. Do you have another default IIS application running on the root of the domain?