[22554] in bugtraq
Re: Microsoft Security Bulletin MS01-047
daemon@ATHENA.MIT.EDU (H D Moore)
Thu Sep 6 22:18:58 2001
Message-ID: <20010907005504.8679.qmail@securityfocus.com>
Content-Type: text/plain;
charset="iso-8859-1"
From: H D Moore <hdm@secureaustin.com>
To: pen-test@securityfocus.com, bugtraq@securityfocus.com
Date: Thu, 6 Sep 2001 19:54:58 -0500
In-Reply-To: <2E08A46FF518C9418713A1B2C780684D103D09@red-msg-20.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
On Thursday 06 September 2001 06:26 pm, you said:
> The following is a Security Bulletin from the Microsoft Product Security
> Notification Service.
> ----------------------------------------------------------------------
> Title: OWA Function Allows Unauthenticated User to Enumerate
> Global Address List
I thought this was a feature ;)
To dump the complete GAL:
http://exchangesvr/exchange/finduser/fumsg.asp
If the site has more entries than the maximum defined or the default of 9999,
you will get back an error message saying:
"This query would return too many addresses!"
In this case you need to create a html form with the action set to the
fumsg.asp script using POST method. Use the following variables to narrow
down the result set:
DN (Display Name)
FN (First Name)
LN (Last Name)
TL (Title)
AN (Alias)
CP (Company)
DP (Department)
OF (Office)
CY (City)
If you get redirected back to the logon page immediately, it means that you
must establish a session with your browser first. To do that, just browse to:
http://exchangesvr/exchange/LogonFrm.asp?mailbox=&isnewwindow=0
Enjoy.
--
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play
