Re: Exchange 2003 OWA major security flaw

From: Martin Blackstone (MBlackstone_at_SUPERIORACCESS.COM)
Date: 11/26/03

Next message: Kusnierz, Danny: "CRITICAL??? - Seven New Flaws in Internet Explorer not addressed by MS03-040 or MS03-048"

Previous message: http-equiv_at_excite.com: "Re: "Security at Microsoft" document available"
Maybe in reply to: Matthew Johnson: "Exchange 2003 OWA major security flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 25 Nov 2003 19:38:59 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Updated Info regarding this issue:
http://www.microsoft.com/exchange/support/e2k3owa.asp

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Matthew Johnson
Sent: Friday, November 14, 2003 7:24 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Exchange 2003 OWA major security flaw

We have upgraded our servers to Microsoft Exchange 2003 and noticed a severe
security issue with OWA. When you log in with your own credentials you may
be logged into another user's mailbox at random and has full access to this
user's mailbox. Microsoft knows of the issue but does not have a fix yet. I
was wondering how many others have seen this issue and have received the
same answer from Microsoft.

This seems to be a major security flaw and we have had to shut off OWA
indefinitely because of the issue.

Matthew Johnson CCNA

Network Administrator

Investment Scorecard, Inc.

615.301.7611

mjohnson@investmentscorecard.com

www.investmentscorecard.com <http://www.investmentscorecard.com/>

-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and is
available from http://www.amazon.com/ranum In this hard-hitting review of
the homeland security business, Ranum shows us how the problem is vastly
harder than it's being made to sound, and how special interests, ***
covering, and bureaucracy are threatening to derail any chance of making
progress.
-----

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----

Next message: Kusnierz, Danny: "CRITICAL??? - Seven New Flaws in Internet Explorer not addressed by MS03-040 or MS03-048"

Previous message: http-equiv_at_excite.com: "Re: "Security at Microsoft" document available"
Maybe in reply to: Matthew Johnson: "Exchange 2003 OWA major security flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]