Outlook Web Access authentication bypass

From: Chris Robertson (Chris.Robertsonat_private)
Date: Fri May 23 2003 - 01:03:17 PDT

Next message: D4rkGr3y: "Prishtina FTP v.1.*: remote DoS"

Previous message: Gyrniff: "iisPROTECT SQL injection in admin interface"
Next in thread: Chris Robertson: "RE: Outlook Web Access authentication bypass"
Reply: Chris Robertson: "RE: Outlook Web Access authentication bypass"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This exploit exhibits the same symptoms as CAN-2002-0507 however I have
found it is possible on an Exchange 5.5 (patches current to within ~3
months) single system Outlook Web Access install (IIS and Exchange on the
same server) to access any mailbox once the client has been successfully
authenticated in Netscape 7.0 on Windows 2k and Redhat 7.2, Mozilla 1.0.1,
Galeon 1.2.5, and Konqueror 3.0.3-13 on Redhat 8.0.  Additionally under IE
5.50.4807.2300 it is possible to get the same behavior by canceling an
attempted login to a non-authorized mailbox and editing the url from
..."isnewwindow=0"... to ..."isnewwindow=1"...

Does anyone have anymore info on this?

Thanks,
Chris Robertson
Security Engineer
Instill Corp.

Next message: D4rkGr3y: "Prishtina FTP v.1.*: remote DoS"
Previous message: Gyrniff: "iisPROTECT SQL injection in admin interface"
Next in thread: Chris Robertson: "RE: Outlook Web Access authentication bypass"
Reply: Chris Robertson: "RE: Outlook Web Access authentication bypass"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 23 2003 - 09:16:04 PDT