Слепое Внедрение SQL отказ PCI

I think that the term "SQL Injection" is leading you astray here. What they're actually describing is a XSS (Cross-Site Scripting) attack.

You can read about this specific vulnerability here: http://msdn.microsoft.com/en-us/library/dd565635%28v=vs.85%29.aspx

Basically, http:///owa/?P=+ADwscript+ AD4alert(42)+ADw/ script+AD4 is somewhere returning the exact input, totally un-sanitised, on a document that does not specifcy its encoding type.

This means that that code is actually rendered and parsed by your browser as which shows a popup "42" when loaded.

This particular script is not very naughty, but you could do some really malicious things to peoples accounts if you redirected them to that URL on your server. Like embedding a nasty JS file from your server that hijacks all inputs on the page, or inserts a virus into the page, etc.

However, I cannot find any indication that OWA has any of these vulnerabilities, so I can only assume that your OWA server is running something else that has this vulnerability.

I just tried this exploit against an Exchange 2010 server we have here and it doesn't do anything. If this is an SBS 2011 machine as your tags seem to indicate, then normally remote access/owa sites only run under the /remote/ folder. Do you have another default IIS application running on the root of the domain?