Web Access Security Hole?

[Guest]

I've discovered something quite disturbing today, and am sincerely hoping its
just a configuration error as opposed to a bona fide security hole in Outlook
2003 Web Access... here it is:

I log on to outlook web access using my username/pwd (user1). the url in
the address bar appears as follows once i'm logged into web access:
https://javex1/exchange/
* i'm accessing it internally, but this issue is the same when accessing
from external too

NOW... if i add another person's mailbox name to the url, like this:
https://javex1/exchange/ceo

... i automatically see that person's mailbox (ceo, manager, staff, anyone! )

Now its not a permissions thing as far as i can tell, as my username i'm
logged in with is just a normal domain user (not an administrator)... and i
can even see the administrator mailbox.

Any ideas?? Apologies if i have discovered a security flaw, and in the
process opened up a can of worms in your organisations, however i seriously
doubt nobody else has come across this one before.. just hoping i can find a
fix before our users find this hole.

Thanks in advance,
Greg

 

[Sue Mosher [MVP-Outlook]]

It is indeed a permissions issue, not a flaw in OWA. The behavior you see indicates that your account has been given permission to view the other mailbox. The adminsitrator needs to check the permissions.