CVE-2009-1535
Summary
| CVE | CVE-2009-1535 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-06-10 14:30:00 UTC |
| Updated | 2020-11-23 20:01:00 UTC |
| Description | The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122. |
Risk And Classification
Problem Types: CWE-287
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Microsoft | Internet Information Services | 5.1 | All | All | All |
| Application | Microsoft | Internet Information Services | 6.0 | All | All | All |
| Application | Microsoft | Internet Information Services | 5.1 | All | All | All |
| Application | Microsoft | Internet Information Services | 6.0 | All | All | All |
| Operating System | Microsoft | Windows Server 2003 | - | sp2 | All | All |
| Operating System | Microsoft | Windows Server 2003 | - | sp2 | All | All |
| Operating System | Microsoft | Windows Server 2003 | - | sp2 | All | All |
| Operating System | Microsoft | Windows Server 2003 | - | sp2 | All | All |
| Operating System | Microsoft | Windows Server 2003 | - | sp2 | All | All |
| Operating System | Microsoft | Windows Server 2003 | - | sp2 | All | All |
| Operating System | Microsoft | Windows Xp | - | sp2 | All | All |
| Operating System | Microsoft | Windows Xp | - | sp2 | All | All |
| Operating System | Microsoft | Windows Xp | - | sp3 | All | All |
| Operating System | Microsoft | Windows Xp | - | sp2 | All | All |
| Operating System | Microsoft | Windows Xp | - | sp2 | All | All |
| Operating System | Microsoft | Windows Xp | - | sp3 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| InfoSec Handlers Diary Blog | MISC | isc.sans.org | Third Party Advisory |
| US-CERT Technical Cyber Security Alert TA09-160A -- Microsoft Updates for Multiple Vulnerabilities | CERT | www.us-cert.gov | Third Party Advisory, US Government Resource |
| [VIM] IIS WebDav Vulnerability CVE ID | VIM | www.attrition.org | Third Party Advisory |
| 20090515 Re: IIS6 + webdav and unicode rides again in 2009 | FULLDISC | archives.neohapsis.com | Broken Link |
| Microsoft Security Bulletin MS09-020 - Important | Microsoft Docs | MS | docs.microsoft.com | Patch, Vendor Advisory |
| Online viewer - http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-05/pdfje7FQDaLIN.pdf | MISC | view.samurajdata.se | Broken Link |
| archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdf | MISC | archives.neohapsis.com | Broken Link |
| 20090515 Re: IIS6 + webdav and unicode rides again in 2009 | FULLDISC | archives.neohapsis.com | Broken Link |
| NEOHAPSIS - Peace of Mind Through Integrity and Insight | FULLDISC | archives.neohapsis.com | Broken Link |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | Third Party Advisory |
| Secdev - Thierry Zoller: IIS 6 / IIS 5 / IIS 5.1+ Webdav auth bypass (update #7) | MISC | blog.zoller.lu | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.