[19955] in bugtraq
Re: Security bugs in interactions between IE 5.x,
daemon@ATHENA.MIT.EDU (Toni Lassila)
Fri Mar 30 11:02:23 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
content-class: urn:content-classes:message
Message-ID: <6C60F1D0DCCC0F4FBDCA8F1668BE08AFCC3B@fp1.tekian.net>
Date: Fri, 30 Mar 2001 12:20:36 +0300
Reply-To: Toni Lassila <t.lassila@MC-EUROPE.COM>
From: Toni Lassila <t.lassila@MC-EUROPE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
> -----Original Message-----
> From: Chad Kalmes [mailto:chad.j.kalmes@US.ARTHURANDERSEN.COM]
>
> I've tested this out and the query seems to run fine
> and returns the stated information, but only if the
> exchange resources via the web don't require
> authentication. If they do, you need to know the other
> user's password in order to list out the directory
> contents.
This would, of course, depend on the authentication type employed
on the Exchange 2000 server. ISTR it being possible to configure
IE5.0 in such a way that the security credentials are passed by
default to internal sites (say Exchange Web Folders or IIS 5.0 using
Integrated Windows Authentication) so that any intranet user could
point directly to the Exchange Web Folders and login automatically to
see his/her mail).
If Guninski is right, and there is a bug involving the Microsoft OLE
DB Provider for Internet Publishing that allows malicious websites
to execute queries into sites local to the vulnerable user under that
user's context then it's more than likely that some of those local
sites in deed don't request any kind of authentication or then
authenticate the user automatically using NT Challenge/Response. And
that would mean clear access past any firewalls into the local intranet.
Sure, you have to know the site names but that's what social engineering
is for.
