Microsoft Exchange 2003 With Outlook Web Access and Windows SharePoint Services May Grant Incorrect E-mail Account Access to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1008324
|
|
CVE Reference: CAN-2003-0904
(Links to External Site)
|
Updated: Jan 9 2004
|
Original Entry Date: Nov 28 2003
|
Impact: User access via network
|
Vendor Confirmed: Yes
|
Version(s): 2003
|
Description: A vulnerability was reported in Microsoft Exchange 2003 when used with Outlook Web Access and Windows SharePoint Services. The system may grant a remote authenticated user access to the wrong e-mail account.
Matthew Johnson reported that a remote authenticated user may be granted full access to a random user's mailbox.
Martin Blackstone
noted that Microsoft issued a support article on the topic. Microsoft reports that when Windows SharePoint Services 2.0 is installed
on a Windows Server 2003 system that is running Exchange Server 2003, Kerberos authentication on Internet Information Services (IIS)
may be disabled. As a result, Outlook Web Access requests may be incorrectly handled, the report said.
|
Impact: A remote authenticated user may be granted full access to a random user's mailbox.
|
Solution: No solution was available at the time of this entry. Microsoft has issued a support article describing how to properly remove Windows
SharePoint Services to return your system to a working state:
http://www.microsoft.com/exchange/support/e2k3owa.asp
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Authentication error, State error
|
Underlying OS: Windows (2003)
|
Reported By: Matthew Johnson <MJOHNSON@INVESTMENTSCORECARD.COM>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 14 Nov 2003 21:23:59 -0600
From: Matthew Johnson <MJOHNSON@INVESTMENTSCORECARD.COM>
Subject: Exchange 2003 OWA major security flaw
|
We have upgraded our servers to Microsoft Exchange 2003 and noticed a
severe security issue with OWA. When you log in with your own
credentials you may be logged into another user's mailbox at random and
has full access to this user's mailbox. Microsoft knows of the issue but
does not have a fix yet. I was wondering how many others have seen this
issue and have received the same answer from Microsoft.
This seems to be a major security flaw and we have had to shut off OWA
indefinitely because of the issue.
Matthew Johnson CCNA
Network Administrator
Investment Scorecard, Inc.
615.301.7611
mjohnson@investmentscorecard.com
www.investmentscorecard.com <http://www.investmentscorecard.com/>
-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, butt covering, and bureaucracy are threatening to derail any
chance of making progress.
-----
|
|
