The version of Outlook Web Access contains a URL redirection vulnerability. However, this would require user interaction to be abused such as embedded URL within an email that is clicked on.
It is possible to provide an arbitrary "url" value.
Informational only. Microsoft expects this to be resolved in Exchange 2007.
The portal requires users submit a username and password to authenticate. This communication is not encrypted.
Check the HTML source code on the form page, and examine whether the FORM ACTION is GET/POST to a HTTPS:// URI.
1) Enable SSL and disable HTTP for the portal
2) Use two-factor tokens (one time password) for strong authentication.
3) Modify the HTML source to ensure the data is POST'ed to a HTTPS URL.
1.In Microsoft Windows, open Administrative Tools, and then click Internet Information Services (IIS) Manager.
IIS Manager appears.
2.Under Internet Information Services, expand Servername (local computer), expand Web Sites, right-click either Websitename or Default Website, and then click Properties.
The Web Site Properties dialog box appears.
3.Click the Home Directory tab, and then click Configuration.
The Application Configuration Settings dialog box appears.
4.Click the Debugging tab.
5.Change the radio button from "Send detailed ASP error messages to client" to "Send the following text error messages" and specify an error.
The FTP service reveals the Operating System type via the 'SYST' command.
This is historically used to determine how to handle file types as many OSes format data differently.
# telnet ftp.microsoft.com 21
Connected to ftp.microsoft.com.
Escape character is '^]'.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads.
230 User logged in.
221 Thank you for using Microsoft products.
Connection closed by foreign host.