Reported September 7, 2001, by Microsoft.
· Microsoft Outlook Web Access (OWA) for Exchange Server 5.5
A vulnerability exists in Microsoft OWA for Exchange Server 5.5. An attacker can make unauthorized or unauthenticated requests to reveal information (e.g., email aliases and addresses) stored in the Global Address List (GAL). This vulnerability results because a function in OWA that interrogates the GAL doesn't require authentication. Unauthenticated users can call the function and enumerate the mail addresses of users on the server.
Discovered by Noam Rathaus of SecuriTeam.