Bugtraq mailing list archives
Re: Microsoft Security Bulletin MS01-047
From: H D Moore <hdm () secureaustin com>
Date: Thu, 6 Sep 2001 19:54:58 -0500
On Thursday 06 September 2001 06:26 pm, you said:
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
----------------------------------------------------------------------
Title: OWA Function Allows Unauthenticated User to Enumerate
Global Address List
I thought this was a feature ;) To dump the complete GAL: http://exchangesvr/exchange/finduser/fumsg.asp If the site has more entries than the maximum defined or the default of 9999, you will get back an error message saying: "This query would return too many addresses!" In this case you need to create a html form with the action set to the fumsg.asp script using POST method. Use the following variables to narrow down the result set: DN (Display Name) FN (First Name) LN (Last Name) TL (Title) AN (Alias) CP (Company) DP (Department) OF (Office) CY (City) If you get redirected back to the logon page immediately, it means that you must establish a session with your browser first. To do that, just browse to: http://exchangesvr/exchange/LogonFrm.asp?mailbox=&isnewwindow=0 Enjoy. -- H D Moore http://www.digitaldefense.net - work http://www.digitaloffense.net - play
Current thread:
- Microsoft Security Bulletin MS01-047 Microsoft Product Security (Sep 06)
- Re: Microsoft Security Bulletin MS01-047 H D Moore (Sep 06)
- Re: Microsoft Security Bulletin MS01-047 Craig Boston (Sep 07)
- Re: Microsoft Security Bulletin MS01-047 H D Moore (Sep 06)