Microsoft I.I.S. Unicode Requests to WebD.A.V. Multiple Authentication By-pass Vulnerabilities

Archive
1

On Saturday, May 16, 2009, a Newly-Discovered and un-Patched Flaw has been Disclosed Affecting Microsoft I.I.S. 6 with WebD.A.V. enabled. Due to an Error in the way unicode Characters are handled, it is possible for an Attacker to by-pass Authentication Requirements when Accessing a Protected Resource. It may also be possible for Attackers to Upload Files to a Vulnerable Server without supplying credentials. Due to the nature of this Flaw and the ease at which it can be Triggered, we feel that it is probable that Attacks will be carried out in-the-Wild. Reports indicate that Microsoft I.I.S. 7 is Not Vulnerable; Other Versions may also be Affected.  More information is available in the following B.I.D.:

 

Microsoft I.I.S. Unicode Requests to WebD.A.V. Multiple Authentication By-pass Vulnerabilities: http://www.securityfocus.com/bid/34993.

Message Edited by Floating_Red on 05-16-2009 12:15 PM
Message Edited by Floating_Red on 05-16-2009 12:21 PM
Message Edited by Floating_Red on 05-16-2009 12:22 PM
Message Edited by Floating_Red on 05-16-2009 12:24 PM
Message Edited by Floating_Red on 05-16-2009 12:28 PM
Message Edited by Floating_Red on 05-16-2009 01:04 PM