Bypassing ISA 2006 HTTPS redirection rule with HTTP vulnerability publishing SharePoint and OWA - Fix

It was recently pointed out to me that when a user attempts to log onto a SharePoint extranet published web site through ISA they can replace HTTPS in the header with HTTP and user credentials could potentially be sent over the web unencrypted.

For example if a user connects to the site entering and is redirected to<parameters> then the user manually modifies the URL back to HTTP e.g.<parameters>.

This is obviously a security vulnerability and Microsoft have published a KB article (958607) describing how to resolve this which can be seen here.

If you have Exchange or SharePoint published via ISA 2006 I would strongly suggest either applying the ISA hot fix or workaround to resolve this.


Post a Comment