Reported September 27, 2001, by Joao Gouveia.
· Exchange 2000 Outlook Web Access (OWA)
A vulnerability exists in Exchange 2000 OWA that results from unchecked directory paths. Because Exchange attempts to process requests without checking for the existence of a directory, an attacker can instigate a Denial of Service (DoS) attack against the server by repeatedly making requests that include a deeply nested nonexistent folder. Only users who can authenticate to the server can launch these attacks.
Discovered by Joao Gouveia.