Microsoft Exchange OWA Global Address List Disclosure Vulnerability

posted onSeptember 9, 2001

by hitbsecnews

A flaw exists in a component of OWA on Microsoft Exchange 5.5, which could enable an
unauthenticated user to gain read access to the entire Global Address List. This issue enables
the user to perform a Find User request directly to the flawed component of OWA,
circumventing authentication to the Exchange server.

L33tdawg: The list of vulnerable machines along with the link to the patch is included in the read more.

Microsoft has released a patch which rectifies this issue:

Microsoft Exchange Server 5.5SP4:

Microsoft patch Q307195engi386
http://download.microsoft.com/download/exch55/Patch/05.05.39.2655/NT45/EN-US/Q307195engi386.EXE.

bugtraq id
3301
class
Access Validation Error
cve
CAN-2001-0660
remote
Yes
local
No
published
September 06, 2001
updated
September 07, 2001
vulnerable
Microsoft Exchange Server 5.5SP4
- Microsoft Windows NT 4.0SP7
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
+ Microsoft Windows 2000
- Microsoft Windows 2000 SP1
+ Microsoft Windows 2000
- Microsoft Windows 2000
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5SP3
- Microsoft Windows NT 4.0SP7
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
+ Microsoft Windows 2000
- Microsoft Windows 2000 SP1
+ Microsoft Windows 2000
- Microsoft Windows 2000
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5SP2
- Microsoft Windows NT 4.0SP7
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
+ Microsoft Windows 2000
- Microsoft Windows 2000 SP1
+ Microsoft Windows 2000
- Microsoft Windows 2000
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5SP1
- Microsoft Windows NT 4.0SP7
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
+ Microsoft Windows 2000
- Microsoft Windows 2000 SP1
+ Microsoft Windows 2000
- Microsoft Windows 2000
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5
- Microsoft Windows NT 4.0SP7
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
+ Microsoft Windows 2000
- Microsoft Windows 2000 SP1
+ Microsoft Windows 2000
- Microsoft Windows 2000
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0