| VID |
22012 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Microsoft exchange public folders allows an unauthenticated user to enumerate global address list. Microsoft Exchange Public Folders can be set to allow anonymous connections (set by default). If this is not changed it is possible for an attacker to gain critical information about the users (such as full email address, phone number, etc) that are present in the Exchange Server.
This information disclosure vulnerability exists in Exchange Server 5.5 configured to offer Microsoft Outlook Web Access (OWA). This problem can occur because a function in Microsoft Outlook Web Access (OWA) that queries the Global Address List does not require authentication. Unauthenticated users can call the function and enumerate the mail addresses of users on the server.
* References:
http://www.securiteam.com/windowsntfocus/5WP091P5FQ.html
http://www.microsoft.com/technet/security/bulletin/MS01-047.asp |
| Recommendation |
Apply the appropriate patch for your system from:
https://technet.microsoft.com/library/security/ms01-047 |
| Related URL |
CVE-2001-0660 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
