SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Services WebDAV Bug Lets Remote Users Bypass Authentication
SecurityTracker Alert ID:  1022358
SecurityTracker URL:  http://securitytracker.com/id/1022358
CVE Reference:   CVE-2009-1122   (Links to External Site)
Date:  Jun 9 2009
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0
Description:   A vulnerability was reported in Microsoft Internet Information Services. A remote user can access ostensibly protected content on the target server.

A remote user can supply a specially crafted URL to bypass authentication and access content on the target WebDAV server.

Yamata Li of Palo Alto Networks reported this vulnerability.

Impact:   A remote user can access ostensibly protected content on the target server.
Solution:   The vendor has issued the following fixes:

Microsoft Windows 2000 Service Pack 4, Microsoft Internet Information Services 5.0:

http://www.microsoft.com/downloads/details.aspx?familyid=8515a294-4f25-4dc5-860a-e7ad9b6c1c01

Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3, Microsoft Internet Information Services 5.1:

http://www.microsoft.com/downloads/details.aspx?familyid=97da589f-4534-42f6-9f29-967b5a33c542

Windows XP Professional x64 Edition Service Pack 2, Microsoft Internet Information Services 6.0:

http://www.microsoft.com/downloads/details.aspx?familyid=8982e6d2-e1f7-4208-88e3-80b159a8e21a

Windows Server 2003 Service Pack 2, Microsoft Internet Information Services 6.0:

http://www.microsoft.com/downloads/details.aspx?familyid=2bd4e410-dbd8-431a-b316-e1e2f1825c3a

Windows Server 2003 x64 Edition Service Pack 2, Microsoft Internet Information Services 6.0:

http://www.microsoft.com/downloads/details.aspx?familyid=ea363223-535d-4142-9aba-3890960c6259

Windows Server 2003 with SP2 for Itanium-based Systems, Microsoft Internet Information Services 6.0:

http://www.microsoft.com/downloads/details.aspx?familyid=e6b806eb-e2c4-4436-8964-720db593055d

A restart is required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms09-020.mspx (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (2000)
Underlying OS Comments:  2000 SP4

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC