Exchange 2003 OWA and URL redirection


Someone recently asked why OWA rewrites external links in messages to go through redir.asp. For example, if you receive an HTML message with an embedded link to http://www.microsoft.com, OWA will actually rewrite the link to point to http://exchangeserver/exchweb/bin/redir.asp?URL=http://www.microsoft.com. But why does it do it?
 
It turns out that to not do that entails a bit of privacy risk. The DAV URL namespace makes use of both username and PIM item name. OWA is built on these URLs, so every time a user views some message, their web browser is making a request to a URL like http://exchangeserver/exchange/username/Inbox/Message.EML to retrieve it. Now, if that user were to follow a link embedded within the retrieved message, their web browser would happily send the origin page URL as a part of HTTP-REFERRER header. Most web sites log this header, so anyone looking at HTTP access log can infer the user’s mailbox name (which in many companies maps trivially to user’s actual name) and the subject line of that email message. But links redirected via redir.asp will show redir.asp in the HTTP-REFERRER, scrubbing both the username and subject line in process. Much better! Additionally, we make use of script within redir.asp to change document.location to the requested URL. This has the effect of certain versions of IE and Netscape sending no HTTP-REFERRER at all. Browsers which do not exhibit this behavior will continue sending redir.asp in the referrer field, which is still good as explained above.

Alex Ingerman


Comments (5)
  1. Steve Evans says:

    However if someone is logged into OWA, recieves an e-mail with a link to a URL on the owa box (like maybe a sharepoint site, or a website being hosted on the front ends) they get a not authorized error.

    Any fix for that?

  2. Raj says:

    I have had the same issue that Steve Evans is talking about. Would like to know if there is a fix too. Thanks.

  3. Alex Ingerman says:

    Steve and Raj,

    What you are describing is by-design behavior. We prohibit redirects pointing back at the server for security reasons. Otherwise, an attacker could sent you an email with an embedded link which attempted to do something nasty, like issue a GET to empty deleted item folder. Unfortunately, as you noted this affects ability to link to other items on the same virtual server.

    Alex

  4. Steve Evans says:

    Alex,

    Possible work around, allow configurable allowed URLS, so an admin could go in and say http://server/sharepoint/* or http://server/helpsite/* is okay, for example. That should be harmless.

  5. Alex Ingerman says:

    Hi Steve,

    There is no *supported* way of enabling some URLs but not others right now. It is, however, possible to do. If you open up redir.asp in any text editor, you can find the VBScript code responsible for URL blocking and modify it as you see fit (for example, providing an exception list). Just look at the very bottom of the IsSafeUrl() function.

    If you modify the redir.asp file, be sure to keep the backup! Once again, this is neither recommended nor supported by PSS in any way.

    I’ll keep your suggestion in mind for future versions of OWA.

    Alex

Comments are closed.