Exchange 2000 Outlook Web Access Vulnerable to Denial of Service Attack

Reported September 27, 2001, by Joao Gouveia.

VERSION AFFECTED

·         Exchange 2000 Outlook Web Access (OWA)

DESCRIPTION
A vulnerability exists in Exchange 2000 OWA that results from unchecked directory paths. Because Exchange attempts to process requests without checking for the existence of a directory, an attacker can instigate a Denial of Service (DoS) attack against the server by repeatedly making requests that include a deeply nested nonexistent folder. Only users who can authenticate to the server can launch these attacks.

VENDOR RESPONSE

The vendor, Microsoft, has released version bulletin MS01-049 and a patch to fix this vulnerability.

CREDIT
Discovered by Joao Gouveia.
TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish