Bugtraq mailing list archives
Re: Microsoft Security Bulletin MS01-047
From: Craig Boston <craig () wmhza gank org>
Date: Fri, 7 Sep 2001 14:55:40 -0500 (CDT)
On Thu, 6 Sep 2001 19:54:58 -0500 H D Moore <hdm () secureaustin com> wrote:
I thought this was a feature ;) To dump the complete GAL: http://exchangesvr/exchange/finduser/fumsg.asp
I tried this on my 5.5 SP4 server with OWA. I replaced http with https as I have IIS configured to only allow encrypted access to the /exchange tree and got redirected back to the logon screen since I didn't have a session cookie.
If you get redirected back to the logon page immediately, it means that you must establish a session with your browser first. To do that, just browse to: http://exchangesvr/exchange/LogonFrm.asp?mailbox=&isnewwindow=0
This request gets me a blank page with a javascript popup saying "This page has been disabled, please see your administrator." I got an ASPSESSIONID cookie, however the first URL still redirects me back to the logon page. I encountered similar results with Aviram Jenik's method. My guess is this is because I have disabled anonymous access to public folders. I'm not 100% sure but it would appear at first glance that this provides some protection against the GAL enumeration exploit. Exchange Administrator, Site/Configuration/Protocols/HTTP and uncheck both boxes about anonymous access. Probably a good idea anyway if you have no public folders that need to be accessed anonymously. -- Craig Boston, CCNA Network Administrator Owen Oil Tools, Inc.
Current thread:
- Microsoft Security Bulletin MS01-047 Microsoft Product Security (Sep 06)
- Re: Microsoft Security Bulletin MS01-047 H D Moore (Sep 06)
- Re: Microsoft Security Bulletin MS01-047 Craig Boston (Sep 07)
- Re: Microsoft Security Bulletin MS01-047 H D Moore (Sep 06)