Welcome to Exchange Team Blog Sign in | Join | Help
Search
BlogsVideosPhotosFiles

Syndication

This Blog

Post Categories

Archives

Exchange 2003 OWA and URL redirection

Someone recently asked why OWA rewrites external links in messages to go through redir.asp. For example, if you receive an HTML message with an embedded link to http://www.microsoft.com, OWA will actually rewrite the link to point to http://exchangeserver/exchweb/bin/redir.asp?URL=http://www.microsoft.com. But why does it do it?
 
It turns out that to not do that entails a bit of privacy risk. The DAV URL namespace makes use of both username and PIM item name. OWA is built on these URLs, so every time a user views some message, their web browser is making a request to a URL like http://exchangeserver/exchange/username/Inbox/Message.EML to retrieve it. Now, if that user were to follow a link embedded within the retrieved message, their web browser would happily send the origin page URL as a part of HTTP-REFERRER header. Most web sites log this header, so anyone looking at HTTP access log can infer the user's mailbox name (which in many companies maps trivially to user's actual name) and the subject line of that email message. But links redirected via redir.asp will show redir.asp in the HTTP-REFERRER, scrubbing both the username and subject line in process. Much better! Additionally, we make use of script within redir.asp to change document.location to the requested URL. This has the effect of certain versions of IE and Netscape sending no HTTP-REFERRER at all. Browsers which do not exhibit this behavior will continue sending redir.asp in the referrer field, which is still good as explained above.

- Alex Ingerman

Published Monday, July 26, 2004 11:38 AM by Exchange
Filed Under: , , ,

Comments

 

Steve Evans said:

However if someone is logged into OWA, recieves an e-mail with a link to a URL on the owa box (like maybe a sharepoint site, or a website being hosted on the front ends) they get a not authorized error.

Any fix for that?
July 26, 2004 2:30 PM
 

Raj said:


I have had the same issue that Steve Evans is talking about. Would like to know if there is a fix too. Thanks.
July 26, 2004 5:09 PM
 

E-Bitz - SBS MVP the Official Blog of the SBS said:

July 27, 2004 1:51 AM
 

Alex Ingerman said:

Steve and Raj,

What you are describing is by-design behavior. We prohibit redirects pointing back at the server for security reasons. Otherwise, an attacker could sent you an email with an embedded link which attempted to do something nasty, like issue a GET to empty deleted item folder. Unfortunately, as you noted this affects ability to link to other items on the same virtual server.

Alex
July 27, 2004 2:15 PM
 

Steve Evans said:

Alex,

Possible work around, allow configurable allowed URLS, so an admin could go in and say http://server/sharepoint/* or http://server/helpsite/* is okay, for example. That should be harmless.
July 27, 2004 3:47 PM
 

Alex Ingerman said:

Hi Steve,

There is no *supported* way of enabling some URLs but not others right now. It is, however, possible to do. If you open up redir.asp in any text editor, you can find the VBScript code responsible for URL blocking and modify it as you see fit (for example, providing an exception list). Just look at the very bottom of the IsSafeUrl() function.

If you modify the redir.asp file, be sure to keep the backup! Once again, this is neither recommended nor supported by PSS in any way.

I'll keep your suggestion in mind for future versions of OWA.

Alex
July 27, 2004 5:09 PM
New Comments to this post are disabled

News

This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Use of any included script samples are subject to the terms specified in the Terms of Use.
New! Would you like to suggest a topic for the Exchange team to blog about? Send suggestions to us.

Exchange Server 2010 - Get the Beta

Poll:

Other Exchange Blogs from MSFT

Other Cool Places

International

[MS] Exchange Blogs

[MVP/Community] Blogs/Sites