COMMAND

	Outlook Web Access view include files vulnerability

SYSTEMS AFFECTED

	Outlook Web Access 5.5 SP4 and others versions is possible

PROBLEM

	In Marcos  A.  Ferreira  Jr.  [marcos@aristelecom.com.br]  Aris  Telecom
	advisory [http://www.aristelecom.com.br/adv/owa-advisory-en.txt] :
	

	The Outlook Web  Access  (OWA),  possess  an  error  that  any  user  of
	Internet allows to visualize all the archives  of  the  directory  /lib.
	These archives  are  stored  with  extension  INC,  that  to  the  being
	requested for browser it will show to all programming asp  contained  in
	the archive:
	

	 www.server.com/exchange/lib/logon.inc

	

	other archives that can be visualized are:
	

	 exchange/lib/AMPROPS.INC

	 exchange/lib/ATTACH.INC

	 exchange/lib/DELETE.INC

	 exchange/lib/GETREND.INC

	 exchange/lib/GETWHEN.INC

	 exchange/lib/JSATTACH.INC

	 exchange/lib/JSROOT.INC

	 exchange/lib/JSUTIL.INC

	 exchange/lib/LANG.INC

	 exchange/lib/PAGEUTIL.INC

	 exchange/lib/PUBFLD.INC

	 exchange/lib/RENDER.INC

	 exchange/lib/SESSION.INC

	 exchange/lib/STORE.INC

	

	

SOLUTION

	None yet.