mailing list archives
Re: re: Microsoft Outlook Web Access URL Injection
From: Valdis.Kletnieks () vt edu
Date: Mon, 07 Feb 2005 14:26:27 -0500
On Mon, 07 Feb 2005 09:27:25 PST, morning_wood said:
looks like MS is NOT publicly releasing a fix for this, while they have the
means and solution at hand.
( at least under IE )
a kind reader sent this little snippet...
"... was able to get Microsoft to provide us with a DLL
to drop under IIS 6 to compare URL variable against the Host: header
variable and do 302 to web root if they are not similar. This fixed the
problem, however, I doubt that Microsoft will make this patch available to
what happend to MS commitment to security???
They figured they'd spent the budget for the quarter for PR proclaiming their
commitment to security. Remember - they're nowhere near as committed to
security as they are to the bottom line. A $20M PR campaign will sway a lot
of managers, while a $200M project to actually fix things won't be noticed.
Which would *you* choose if you were them?
(Note that this is heavily dependent on corporate culture - for instance,
if some VP at Google tried that same money-saving stunt, he'd probably get
called in, pointed at the "Don't be evil" sign, and told to find some OTHER
way to save the $180M... But as far as I know, there isn't any such sign
Full-Disclosure - We believe in it.