On Thu, 6 Sep 2001 19:54:58 -0500 H D Moore <hdmsecureaustin.com> wrote:

> I thought this was a feature ;)
>
> To dump the complete GAL:
> http://exchangesvr/exchange/finduser/fumsg.asp

I tried this on my 5.5 SP4 server with OWA. I replaced http with https as
I have IIS configured to only allow encrypted access to the /exchange tree
and got redirected back to the logon screen since I didn't have a session cookie.

> If you get redirected back to the logon page immediately, it means that you
> must establish a session with your browser first. To do that, just browse to:
>
> http://exchangesvr/exchange/LogonFrm.asp?mailbox=&isnewwindow=0

This request gets me a blank page with a javascript popup saying "This page
has been disabled, please see your administrator." I got an ASPSESSIONID
cookie, however the first URL still redirects me back to the logon page. I
encountered similar results with Aviram Jenik's method.

My guess is this is because I have disabled anonymous access to public
folders. I'm not 100% sure but it would appear at first glance that this
provides some protection against the GAL enumeration exploit.

Exchange Administrator, Site/Configuration/Protocols/HTTP and uncheck both
boxes about anonymous access. Probably a good idea anyway if you have no
public folders that need to be accessed anonymously.

--
Craig Boston, CCNA
Network Administrator
Owen Oil Tools, Inc.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]