vendor:
Exchange Server 5.5, IIS 4.0 and 5.0
by:
SecurityFocus
7.5
CVSS
HIGH
Encapsulated SMTP Address Vulnerability
601
CWE
Product Name: Exchange Server 5.5, IIS 4.0 and 5.0
Affected Version From: Microsoft Exchange 5.5, IIS 4.0 and 5.0
Affected Version To: Microsoft Exchange 5.5, IIS 4.0 and 5.0
Patch Exists: No
Related CWE: CVE-1999-0752
CPE: a:microsoft:exchange_server:5.5, cpe:/a:microsoft:iis:4.0, cpe:/a:microsoft:iis:5.0
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2002
Microsoft Exchange 5.5 and IIS 4.0/5.0 SMTP Encapsulated Address Vulnerability
Microsoft Exchange 5.5 and the SMTP (Simple Mail Transfer Protocol) service included with IIS (Internet Information Services) 4.0 and 5.0 are vulnerable to an encapsulated SMTP address vulnerability. The vulnerability allows an attacker to bypass the SMTP server's security checks and send emails to any address, even if the server is configured to not allow relaying. This can be exploited by sending an email with an encapsulated address, which is a specially crafted address that contains the target address within it.
Mitigation:
Microsoft released a patch to fix the vulnerability for Exchange Server 5.5 only. There exists no patch for the IIS SMTP service.
