Vulnerability Note VU#787932
Microsoft IIS WebDAV Remote Authentication Bypass
A vulnerability exists in the way Microsoft Internet Information Server (IIS) handles unicode tokens that may allow authentication bypass.
Web-based Distributed Authoring and Versioning (WebDAV) is a set of HTTP extensions that allow collaborative management and editing of files collected on remote servers. The way that Microsoft IIS's implementation of WebDAV handles unicode tokens may allow authentication bypass. According to Nikolaos Rangos:
The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data.
A remote attacker may be able to bypass the access restrictions and list, download, upload and modify protected files.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||19 May 2009|
CVSS Metrics (Learn More)
This vulnerability was publicly disclosed by Nikolaos Rangos.
This document was written by Chris Taschner.
- CVE IDs: CVE-2009-1535
- Date Public: 12 Mar 2009
- Date First Published: 19 May 2009
- Date Last Updated: 20 May 2009
- Document Revision: 17
If you have feedback, comments, or additional information about this vulnerability, please send us email.