Microsoft KB Archive/252988

= BUG: Deleting Exchange 5.5 Mailbox with LDAP Poses Security Risk =

Article ID: 252988

Article Last Modified on 3/4/2004

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q252988



SYMPTOMS
Using LDAP to delete an Exchange 5.5 mailbox deletes the directory object but not the associated messages and folders in the information store. If a new mailbox with the same distinguished name (DN) is created, regardless of the Windows NT account associated with the new mailbox, the contents of the old information store become available to the new mailbox.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.



Steps to Reproduce Behavior

 * 1) Create a mailbox using the Exchange Administration Program (Admin.exe).
 * 2) Send mail to the mailbox.
 * 3) Use LDP.exe (or another LDAP based tool) to delete the mailbox.
 * 4) Recreate a mailbox with the same DN and a different associated Windows NT account using the Exchange Administrator program. To create a user with the same distinguished name, that it has been created in the same container as the previous mailbox and has the same directory name. The directory name is viewable on the Advanced tab of the mailbox.
 * 5) Log in to the mailbox you made in step 4 and read mail sent before deletion.

