How To Make Your Outlook Web App 2010 Redir.aspx A Little Safer

[ 10 ] Comments
Share

The Redir.aspx file in OWA 2010 is used to redirect users who click on hyperlinks within messages they read in OWA. I’m not entirely sure what it does, but I guess it’s meant to sanitize the addresses to reduce the exposure to some vulnerability or other. The trouble is, it doesn’t fix the problem where you have a hyperlink caption that itself looks like a URL, and so users can easily be fooled by something like this:

<a href=”http://i-want-your-bank-details.com”>http//fluffy-kittens.com</a>

The user sees http://fluffy-kittens.com, but the link is actually going to take them to http://i-want-your-bank-details.com. This isn’t an unusual tactic – I personally see several emails like this each day, and it is the usual way that scammers will try to get your bank details.

The easiest way to get round this is to change the redir.aspx slightly so that it will show the actual URL target, instead of silently doing the redirection. If you want to try it, look for the redir.aspx file in

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa

make a backup copy and then open it in Notepad. Look for this part

if (NewMailCreated && !UserContext.IsBasicExperience) { %>
    window.location.href = a_sURL + gtMmPar();
<%    } else { %>
    window.location.href = a_sURL;

and change it to this

if (NewMailCreated && !UserContext.IsBasicExperience) { %>
    //window.location.href = a_sURL + gtMmPar();
    document.write("<b>Please verify this address before clicking on it</b><br>");
    document.write("<a href=\"" + a_sURL + gtMmPar() +"\">");
    document.write(a_sURL + gtMmPar());
    document.write("</a>");
<%    } else { %>
    //window.location.href = a_sURL;
    document.write("<b>Please verify this address before clicking on it</b><br>");
    document.write("<a href=\"" + a_sURL +"\">");
    document.write(a_sURL);
    document.write("</a>");

and then save the file back again. You may have guessed that the // part changes the original code into comment lines, so that you can easily change it back.

Please note that because OWA files are usualy replaced by service packs and rollups, you will need to check to make sure that your changes are intact after applying.


10 Responses to How To Make Your Outlook Web App 2010 Redir.aspx A Little Safer

  1. Bryan Skowera says:

    Sorry to comment on a post so old, but I was wondering if you ever had luck on preventing the reformatting of links in OWA to push through the redir.aspx page?

    I know the masking of links in OWA to utilize the redir.aspx page dates back to Exchange 2003 and is the default behavior designed by Microsoft, but we’ve been trying to find any means to work around that.

    • admin says:

      You mean you want to get it to not use the redir.aspx at all, but show links that go direct to the original source? I don’t know of a way of preventing that (it’s in compiled code that you can’t get to and edit). What were you hoping to achieve? There might be another way of doing it.

  2. Bryan Skowera says:

    We have a portion of our user base which only accesses our Exchange 2010 system through OWA. Many members of this group need to copy/paste links from OWA into another system, and, due to varying degrees of technical skills and/or language skills, many are unable to follow the process of making sure the pasted link is the actual link and not the rewritten URL. Your posted redir.aspx rewrite is good, but these folks would have as much problem following the link once to get the real link as they do now.

  3. Ptochos says:

    Thanks for the tweak!

    It works perfectly in Exchange 2007.

  4. Cody says:

    Do I have to restart IIS/RPC Client Access services after making this edit? I did an issreset but the behavior is still the same.

    I have one user who *only* uses an iPad/Active Sync to manage his email. I’m about to put him on GOOD since I hardly find it a good idea to go editing a file just because one person of thousands is having hyperlink issues.

    I hope this behavior is gone in Exchange 2016. No idea what M$ was thinking when they coded this behavior.

    • admin says:

      You may need to restart IIS, since IIS likes to cache pages server-side until it is restarted. When people stop requesting it (i.e. overnight, or during some other quiet spell), then it will empty it from the cache, and you should get the new version without restarting anything. You can easily tell, though, just try it in IE, and see what happens. RPC client access isn’t concerned with this.

  5. Jay Attiya says:

    Your solution worked great in Exchange 2010. It fixes a big security hole and makes users think (and look) twice before going to a linked site.




Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>