CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#111947

Microsoft Exchange Outlook Web Access fails to authenticate users when searching the Global Address List

Overview

Microsoft Exchange servers that offer the Outlook Web Access service are vulnerable to an information disclosure vulnerability that can reveal any email address stored in the Global Address List.

I. Description

The Outlook Web Access (OWA) component of Microsoft Exchange allows users to access their email with a web browser, obviating the need for a standalone email client. This functionality is implemented with several ASP scripts that allow users to perform typical tasks such as reading, composing, and managing mail messsages. Most of these functions require users to authenticate to the application, thereby protecting the content of the messages. However, the ASP script used by OWA to search the Global Address List (GAL) does not require authentication, which presents an information disclosure vulnerability. By writing custom ASP scripts that bypass the authenticated components of OWA, it is possible for an attacker to learn any email address stored within the GAL.

II. Impact

Attackers can exploit this vulnerability to perform unauthenticated searches on sensitive contact information. For example, an attacker could obtain a user's email address by searching on their name.

III. Solution

Apply a patch from your vendor

Microsoft has released a patch to address this vulnerability; For more information, please consult the vendor information section below.

Disable Outlook Web Access

Microsoft has reported that this vulnerability affects Exchange 5.5 servers running the OWA service. If your local policies prevent the immediate installation of the patch recommended by Microsoft, it is possible to work around this vulnerability by disabling OWA.

Systems Affected

VendorStatusDate Updated
MicrosoftVulnerable12-Sep-2001

References


http://www.microsoft.com/technet/security/bulletin/ms01-047.asp
http://www.securiteam.com/windowsntfocus/5WP091P5FQ.html
http://www.securityfocus.com/bid/3301

Credit

The CERT/CC thanks Joseph Steinberg of Whale Communications for reporting this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public09/06/2001
Date First Published09/12/2001 11:53:22 AM
Date Last Updated09/12/2001
CERT Advisory 
CVE NameCAN-2001-0660
Metric6.62
Document Revision10

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2001 Carnegie Mellon University