SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Microsoft Exchange Vendors:   Microsoft
Microsoft Exchange 2003 With Outlook Web Access and Windows SharePoint Services May Grant Incorrect E-mail Account Access to Remote Authenticated Users
SecurityTracker Alert ID:  1008324
SecurityTracker URL:  http://securitytracker.com/id/1008324
CVE Reference:   CVE-2003-0904   (Links to External Site)
Updated:  Jan 9 2004
Original Entry Date:  Nov 28 2003
Impact:   User access via network
Vendor Confirmed:  Yes  
Version(s): 2003
Description:   A vulnerability was reported in Microsoft Exchange 2003 when used with Outlook Web Access and Windows SharePoint Services. The system may grant a remote authenticated user access to the wrong e-mail account.

Matthew Johnson reported that a remote authenticated user may be granted full access to a random user's mailbox.

Martin Blackstone noted that Microsoft issued a support article on the topic. Microsoft reports that when Windows SharePoint Services 2.0 is installed on a Windows Server 2003 system that is running Exchange Server 2003, Kerberos authentication on Internet Information Services (IIS) may be disabled. As a result, Outlook Web Access requests may be incorrectly handled, the report said.

Impact:   A remote authenticated user may be granted full access to a random user's mailbox.
Solution:   No solution was available at the time of this entry. Microsoft has issued a support article describing how to properly remove Windows SharePoint Services to return your system to a working state:

http://www.microsoft.com/exchange/support/e2k3owa.asp

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Windows (2003)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 13 2004 (Microsoft Issues Fix) Microsoft Exchange 2003 With Outlook Web Access and Windows SharePoint Services May Grant Incorrect E-mail Account Access to Remote Authenticated Users
Microsoft has issued a fix.



 Source Message Contents

Subject:  Exchange 2003 OWA major security flaw


 

We have upgraded our servers to Microsoft Exchange 2003 and noticed a
severe security issue with OWA. When you log in with your own
credentials you may be logged into another user's mailbox at random and
has full access to this user's mailbox. Microsoft knows of the issue but
does not have a fix yet. I was wondering how many others have seen this
issue and have received the same answer from Microsoft.

This seems to be a major security flaw and we have had to shut off OWA
indefinitely because of the issue. 

 

 

 

 

 

 

Matthew Johnson CCNA

Network Administrator

Investment Scorecard, Inc. 

615.301.7611

mjohnson@investmentscorecard.com

www.investmentscorecard.com <http://www.investmentscorecard.com/> 

 


-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, butt covering, and bureaucracy are threatening to derail any
chance of making progress.
-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC