J
JDave1340
OWA 2003 seems to use a "GET" method rather than a "POST" method when
submitting forms. Every command: DELETE, SELECT, etc is placed on the URL.
When the OWA site is configured on a proxy setup as a security device
blocking such things a SQL Injection exploit attempts the commands on the URL
cause the requests to be blocked at the proxy. In addition addressees
addresses are on the URL as well, in this case they are completely encoded.
To stop hackers who are encoding their exploits we look for and block when a
specific number of encodes (or greater) are seen on the URL. The question
is: Why are the commands and addressees now on the URL rather than in the
body of the HTTP message and how do we configure OWA 2003 to put them back in
the HTTP message body.
submitting forms. Every command: DELETE, SELECT, etc is placed on the URL.
When the OWA site is configured on a proxy setup as a security device
blocking such things a SQL Injection exploit attempts the commands on the URL
cause the requests to be blocked at the proxy. In addition addressees
addresses are on the URL as well, in this case they are completely encoded.
To stop hackers who are encoding their exploits we look for and block when a
specific number of encodes (or greater) are seen on the URL. The question
is: Why are the commands and addressees now on the URL rather than in the
body of the HTTP message and how do we configure OWA 2003 to put them back in
the HTTP message body.