Exchange 2003 SP2 .NET 1.1 - Use only Unicode codepages for output on ASP.Net pages
Hi, We are migrating from Exchange 2003 to 2010, but in the meantime we have regular outsourced audits on our OWA2003 servers for compliance with a group of audit requirements. The reports are indicating that the OWA 2003 front end servers have a flaw that is related to the version of .NET that we are running which is .NET 1.1. The report indicates that we have fix the problem either by upgrading .NET which we can't because any release over 1.1 is not supported by Exchange 2003 SP2. The other solutions is a workaround which will be to use only Unicode codepages for output on ASP.Net pages. I have no idea what that means, how to make/revert this change or if this change is going to work with OWA 2003. I have attached the report below which further describes the change. I was wondering if someone could give me a hand and tell me how to approach this change. Thank you. ------------------------------ THREAT: ASP.NET is a Web application framework developed by Microsoft. ASP.NET Web sites are vulnerable to cross-site scripting attacks. The problem arises from the lack of a filtration of special HTML characters in range U+ff00-U+ff60 (fullwidth ASCII characters). An attacker could exploit this vulnerability when Unicode strings are converted to national ASCII codepages. Affected Versions: ASP .NET Framework 1.0 and 1.1 are affected IMPACT: Exploitation could allow an attacker to execute arbitrary script code. SOLUTION: There are no vendor supplied patches available. However, .NET Framework should be updated to the latest available version. Refer to ASP .NET XSS for further information. Workaround: Use only Unicode codepage for output on ASP.Net pages < CONFIGURATION> < SYSTEM.WEB> < GLOBALIZATION RESPONSEENCODING="utf-8"></GLOBALIZATION> < /SYSTEM.WEB> < /CONFIGURATION> RESULT: < html> < head> < title>The resource cannot be found.</title> < style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Lucida Console";font-size: .9em} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline;font-weight:bold; color:navy; cursor:hand; } < /style> < /head> < body bgcolor="white"> < span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1> The resource cannot be found. </span> < font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif "> Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested Url: /FileN0tEx15T.aspx < /body> < /html>
May 15th, 2012 10:58am

How fast can you migrate to 2010? Havent the regular audits been flagging this issue on the 2003 servers for years?
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 4:18pm

No, they have increase their audit requirement so now they look for stuff that they didn't used to look for in the past. I almost ready to migrate but my boss wanted to fix this issue first or wanted to know our options before switching priorities on the current projects. Any thoughts on how to fix this other than migrate to Exchange 2010.
May 15th, 2012 5:01pm

Well, I suppose putting a reverse proxy in front of the server is one option. But honestly, why put effort into something that is past its support life? Seems to me the effort should be on getting over on 2010.
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 5:37pm

On Tue, 15 May 2012 20:55:10 +0000, post wrote: > > >No, they have increase their audit requirement so now they look for stuff that they didn't used to look for in the past. I almost ready to migrate but my boss wanted to fix this issue first or wanted to know our options before switching priorities on the current projects. > >Any thoughts on how to fix this other than migrate to Exchange 2010. You can't "fix" it becasue Exchange won't use .Net 2.0. To use a different version of the .Net framework requires recompiling the code that references the .Net assemblies. Moving off a nine year old product to something more up-to-date is your only choice if you must use a different release of .Net. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
May 15th, 2012 8:03pm

Yes, move to Exchange 2010 server and then decommission Exchange 2003 server when everything is working fine. Refer to: http://support.microsoft.com/kb/833396 http://support.microsoft.com/kb/822931Fiona Liao TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 2:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics