Re: Very interesting Opera 6 and Outlook Web Access behavior:
From: Steve (steve@SECURESOLUTIONS.ORG)Date: 02/04/02
- Previous message: Michael Katz: "Re: NULL IPC$ Sessions"
- In reply to: Parker, Mitch: "Very interesting Opera 6 and Outlook Web Access behavior:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 4 Feb 2002 12:33:21 -0700 From: Steve <steve@SECURESOLUTIONS.ORG> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Here's the problem:
>
> Outlook Web Access with domain authentication set up can be
> bypassed using Opera 6 by doing the following:
>
> 1. Enter in a proper username and password in the dialog
> box. 2. When the second attempt for a password comes up, hit
> cancel. 3. Outlook Web Access comes up with your information:
If you are entering proper credentials, you are not truly bypassing OWA
authentication. Chances are, and I will try to confirm this sometime
today, Opera caches the first login, and simply uses those credentials
to login when you hit cancel.
> Testing platform:
>
> Exchange Server:
>
> MS Exchange Server 5.5 SP4 with Hotfixes
> Windows 2000 Server Service Pack 2 with Hotfixes
> IIS 5.0 with Hotfixes and configured for domain authentication
Will test on Win2K SP2 with Exchange 2000 later today.
>
> I find this to be rather disturbing. Does this happen in
> Exchange 2000?
I wouldn't call it disturbing, its not really a security risk as you
have to already have the domain credentials in order to get to the next
step in authentication. What happens when the domain credentials are
different than the Exchange ones? Have you attempted this?
Regards;
Steve Manzuik
Moderator - VulnWatch
www.vulnwatch.org
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Michael Katz: "Re: NULL IPC$ Sessions"
- In reply to: Parker, Mitch: "Very interesting Opera 6 and Outlook Web Access behavior:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
