• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Exchange OWA Global Address List Disclosure Vulnerability

Severity: HIGH

Description:

Microsoft Exchange enables users to access their inboxes and other various resources located in the Web Storage System. Outlook Web Access (OWA) enables user's to remotely access these resources via a URL. OWA ships with Microsoft Exchange by default.

Due to a flaw in a component (fumsg.asp) of OWA, it is possible for unauthorized user's to gain read access to the Global Address List.

Typically when performing a Find Users request, the user interface gathers the necessary information required to complete the search request. This includes confirming that the user making the request has successfully authenticated to the server. Once the information is gathered and confirmed, the user interface calls a back end function (fumsg.asp) to carry out the request. However due to the flaw in OWA, an unauthenticated user can make a search request directly to the back end function (fumsg.asp), circumventing authentication to the Exchange server.

If successfully exploited, a user could gain read access to the enitre Global Address List. Knowledge of this information could assist in further attacks against the target host. Specifically, this information could be used to spam users on the host.

Affected Products:

• Microsoft Exchange Server 5.5.0
• Microsoft Exchange Server 5.5.0SP1
• Microsoft Exchange Server 5.5.0SP2
• Microsoft Exchange Server 5.5.0SP3
• Microsoft Exchange Server 5.5.0SP4

References:

• Microsoft: Microsoft Security Bulletin MS01-047
• SecuriTeam.com: Exchange Public Folders Information Leakage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.