QwikSec

Security Database

CVE

CWE

Training

CVE-2009-1535

Published: Jun 10, 2009

Modified: Aug 7, 2024

PUBLISHED

Description

The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

oval:org.mitre.oval:def:6029

vdb-entry

signature

x_refsource_OVAL

vendor-advisory

x_refsource_MS

http://view.samurajdata.se/psview.php?id=023287d6&page=1

x_refsource_MISC

http://isc.sans.org/diary.html?n&storyid=6397

x_refsource_MISC

20090515 IIS6 + webdav and unicode rides again in 2009

mailing-list

x_refsource_FULLDISC

20090515 Re: IIS6 + webdav and unicode rides again in 2009

mailing-list

x_refsource_FULLDISC

http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html

x_refsource_MISC

third-party-advisory

x_refsource_CERT

http://archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdf

x_refsource_MISC

20090515 Re: IIS6 + webdav and unicode rides again in 2009

mailing-list

x_refsource_FULLDISC

20090616 IIS WebDav Vulnerability CVE ID

mailing-list

x_refsource_VIM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.