Reported September 7, 2001, by Microsoft.

VERSION AFFECTED

·         Microsoft Outlook Web Access (OWA) for Exchange Server 5.5

 

DESCRIPTION
A vulnerability exists in Microsoft OWA for Exchange Server 5.5. An attacker can make unauthorized or unauthenticated requests to reveal information (e.g., email aliases and addresses) stored in the Global Address List (GAL). This vulnerability results because a function in OWA that interrogates the GAL doesn't require authentication. Unauthenticated users can call the function and enumerate the mail addresses of users on the server.

 

VENDOR RESPONSE

The vendor, Microsoft, has released security bulletin MS01-047 to address this vulnerability and recommends that affected users apply the patch the vender provides.

 

CREDIT
Discovered by Noam Rathaus of SecuriTeam.