Reported September 7, 2001, by Microsoft.
VERSION AFFECTED
· Microsoft Outlook Web Access (OWA) for Exchange Server 5.5
DESCRIPTION
A
vulnerability exists in Microsoft OWA for Exchange Server 5.5. An attacker can
make unauthorized or unauthenticated requests to reveal information (e.g., email
aliases and addresses) stored in the Global Address List (GAL). This
vulnerability results because a function in OWA that interrogates the GAL
doesn't require authentication. Unauthenticated users can call the function and
enumerate the mail addresses of users on the server.
VENDOR RESPONSE
The vendor, Microsoft, has released security bulletin MS01-047 to address this vulnerability and recommends that affected users apply the patch the vender provides.
CREDIT
Discovered
by Noam
Rathaus of SecuriTeam.