Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
"x-up-devcap-post-charset" can be used to trick the current IIS URL Rewrite rule as shown in https://twitter.com/wdormann/status/1582083758047760384/photo/3 mentioned in the comment of CVO123
Nino_Bilic of Microsoft stated: "We are aware of this, yes. We evaluate all such claims, put them though a set of tests and address, if needed."
Despite that Nino_Bilic later asked if "x-up-devcap-post-charset" is related to the Exchange vulnerabilities. A week has passed since these bypasses have been published and neither the Mitigations (https://web.archive.org/web/*/https://officeclient.microsoft.com/getexchangemitigations) nor the documentation regarding "x-up-devcap-post-charset" and "DisableRequestSmuggling" have been improved.
Instead, because Microsoft doesn't seem to offer a SSO federation, we are urged to Create a GitHub Account to get this fixed by ourselves:
https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/developer/webapps/iis/iisadmin-service-inetinfo/httpsys-registry-windows.md
https://referencesource.microsoft.com/#System/net/System/Net/HttpListenerRequest.cs contains "x-up-devcap-post-charset" but the feedback button leads to mailto:refsrcfeedback @ microsoft.com not to a GitHub repo.