Aris Telecom Security Advisory
==============================
19/02/2002
Title:
======
Outlook Web Access view include files vulnerability
System Afected:
==============
Outlook Web Access 5.5 SP4 and others versions is possible
Description:
===========
The Outlook Web Access (OWA), possess an error that any user of
internet
allows
to visualize all the archives of the directory /lib. These
archives are
stored
with extension INC, that to the being requested for browser it
will show
to all
programming asp contained in the archive:
www.server.com/exchange/lib/logon.inc
other archives that can be visualized are:
exchange/lib/AMPROPS.INC
exchange/lib/ATTACH.INC
exchange/lib/DELETE.INC
exchange/lib/GETREND.INC
exchange/lib/GETWHEN.INC
exchange/lib/JSATTACH.INC
exchange/lib/JSROOT.INC
exchange/lib/JSUTIL.INC
exchange/lib/LANG.INC
exchange/lib/PAGEUTIL.INC
exchange/lib/PUBFLD.INC
exchange/lib/RENDER.INC
exchange/lib/SESSION.INC
exchange/lib/STORE.INC
Solution:
========
Microsoft have been informed.
Acknowledgements:
================
The bug has been discovered by Marcos A. Ferreira Jr.
contacts: marcosat_private
English version:
http://www.aristelecom.com.br/adv/owa-advisory-en.txt
Portuguese version:
http://www.aristelecom.com.br/adv/owa-advisory-pt.txt
Contact Information:
===================
The Aris Telecom can be reached by mailing:
aristelecomat_private
Our web page is at https://www.aristelecom.com.br
This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 22:21:25 PST