On Thu, 6 Sep 2001 19:54:58 -0500 H D Moore <hdmat_private> wrote: > I thought this was a feature ;) > > To dump the complete GAL: > http://exchangesvr/exchange/finduser/fumsg.asp I tried this on my 5.5 SP4 server with OWA. I replaced http with https as I have IIS configured to only allow encrypted access to the /exchange tree and got redirected back to the logon screen since I didn't have a session cookie. > If you get redirected back to the logon page immediately, it means that you > must establish a session with your browser first. To do that, just browse to: > > http://exchangesvr/exchange/LogonFrm.asp?mailbox=&isnewwindow=0 This request gets me a blank page with a javascript popup saying "This page has been disabled, please see your administrator." I got an ASPSESSIONID cookie, however the first URL still redirects me back to the logon page. I encountered similar results with Aviram Jenik's method. My guess is this is because I have disabled anonymous access to public folders. I'm not 100% sure but it would appear at first glance that this provides some protection against the GAL enumeration exploit. Exchange Administrator, Site/Configuration/Protocols/HTTP and uncheck both boxes about anonymous access. Probably a good idea anyway if you have no public folders that need to be accessed anonymously. -- Craig Boston, CCNA Network Administrator Owen Oil Tools, Inc.
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 14:37:21 PDT