Web Access Security Hole?

G

Guest

I've discovered something quite disturbing today, and am sincerely hoping its
just a configuration error as opposed to a bona fide security hole in Outlook
2003 Web Access... here it is:

I log on to outlook web access using my username/pwd (user1). the url in
the address bar appears as follows once i'm logged into web access:
https://javex1/exchange/
* i'm accessing it internally, but this issue is the same when accessing
from external too

NOW... if i add another person's mailbox name to the url, like this:
https://javex1/exchange/ceo

... i automatically see that person's mailbox (ceo, manager, staff, anyone! )

Now its not a permissions thing as far as i can tell, as my username i'm
logged in with is just a normal domain user (not an administrator)... and i
can even see the administrator mailbox.

Any ideas?? Apologies if i have discovered a security flaw, and in the
process opened up a can of worms in your organisations, however i seriously
doubt nobody else has come across this one before.. just hoping i can find a
fix before our users find this hole.

Thanks in advance,
Greg
 
S

Sue Mosher [MVP-Outlook]

It is indeed a permissions issue, not a flaw in OWA. The behavior you see indicates that your account has been given permission to view the other mailbox. The adminsitrator needs to check the permissions.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Accessing same mailbox from two locations 6
Permission Issue 3
Another security hole found in GMail 0
UAC security hole? 1
Doing Send AS without pemssion to mailbox 1
Switch from OWA (Outlook Web Access) to Outlook 1
Unpatched Hole in Gmail - Accounts Hacked 3
Microsoft warns of serious security hole 34

Top