Outlook Web Access v5.5 SP4 and below contains a vulnerability which allows remote users to view files in the directory /lib. Several files can be viewed.
8c7dc9af27e85a64ba81631abf2529c58b7a940d065c1225988bae3eeb1a932e
Aris Telecom Security Advisory
==============================
19/02/2002
Title:
======
Outlook Web Access view include files vulnerability
System Afected:
==============
Outlook Web Access 5.5 SP4 and others versions is possible
Description:
===========
The Outlook Web Access (OWA), possess an error that any user of Internet allows
to visualize all the archives of the directory /lib. These archives are stored
with extension INC, that to the being requested for browser it will show to all
programming asp contained in the archive:
www.server.com/exchange/lib/logon.inc
other archives that can be visualized are:
exchange/lib/AMPROPS.INC
exchange/lib/ATTACH.INC
exchange/lib/DELETE.INC
exchange/lib/GETREND.INC
exchange/lib/GETWHEN.INC
exchange/lib/JSATTACH.INC
exchange/lib/JSROOT.INC
exchange/lib/JSUTIL.INC
exchange/lib/LANG.INC
exchange/lib/PAGEUTIL.INC
exchange/lib/PUBFLD.INC
exchange/lib/RENDER.INC
exchange/lib/SESSION.INC
exchange/lib/STORE.INC
Solution:
========
Microsoft have been informed.
Acknowledgements:
================
The bug has been discovered by Marcos A. Ferreira Jr.
contacts: marcos@aristelecom.com.br
English version:
http://www.aristelecom.com.br/adv/owa-advisory-en.txt
Portuguese version:
http://www.aristelecom.com.br/adv/owa-advisory-pt.txt
Contact Information:
===================
The Aris Telecom can be reached by mailing: aristelecom@aristelecom.com.br
Our web page is at https://www.aristelecom.com.br
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed