Full Disclosure mailing list archives
Re: IIS/Outlook Web Access..
From: Darren Bennett <DARREN.L.BENNETT () saic com>
Date: 22 Jul 2003 09:01:28 -0700
Jason,
It appears your observations are correct. I have not verified that the
problem occurs with only user accounts (I don't want to continue to
break our server in order to do bug testing for Microsoft).
Additionally, the DOS is obvious.. if it can be exploited to more is not
(I have no idea). As Dallas said in her response, while upgrading may
seem like a good idea (to exchange 2k+), we too will be using outlook
2003 before upgrading exchange (exchange upgrades in large corporate
environments are a nighmare..)
-Darren
On Mon, 2003-07-21 at 20:45, Jason wrote:
This being full disclosure and all... I am interested in what exactly Outlook 2003 does that causes IIS so much issue? My gutt answers in ( )s. Can this be replicated without Outlook 2003? ( probably ) Can this be done with or without a user account? ( users only ) Is this only a DOS for servers with OWA running? ( probably ) Is it just a DOS or a lurking exploitable condition? ( DOS ) Is it a persistent DOS against IIS and OWA or does a restart resolve it? ( restart ) Is it reliably reproducible or dependent on an obscure configuration option? ( reliable ) If you can provide these details then I think the list would be interested. Otherwise you may be better off going to one of the more Exchange / MS focused lists for bug sympathy/help. LaRose, Dallas wrote:-----Original Message----- From: Christopher F. Herot [mailto:cherot () appliedmessaging com] Maybe you should upgrade from Exchange 5.5 to 2000. We have had people using Outlook 2003 client and OWA with Exchange 2000 for several months without incident. ========== Although I'll recognize that an upgrade to E2K is prudent and may resolve the issue, a problem in a product that is still in use should be recognized and documented. Although my company is interested in upgrading to both Outlook 2003 and Exchange 2K+, the upgrade to Outlook 2003 will likely come first due to complexities in the Exchange upgrade. I think it's fair to test the combination of Outlook 2003 and Exchange 5.5 OWA, and I'm interested to know the results. Does Microsoft have a Q article that acknowledges the issue? Dallas LaRose Senior Network Engineer S2 Systems, Inc. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- ----------------------------------------------- Darren Bennett CISSP, Certified Unix Admin., MCSE, MCSA, MCP +I Sr. Systems Administrator/Manager Science Applications International Corporation Advanced Systems Development and Integration ----------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- IIS/Outlook Web Access.. Darren Bennett (Jul 21)
- <Possible follow-ups>
- RE: IIS/Outlook Web Access.. Christopher F. Herot (Jul 21)
- RE: IIS/Outlook Web Access.. LaRose, Dallas (Jul 21)
- Re: IIS/Outlook Web Access.. Jason (Jul 21)
- Re: IIS/Outlook Web Access.. Darren Bennett (Jul 22)
- Re: IIS/Outlook Web Access.. Jason (Jul 21)