Lucene search
Copyright (C) 2009 Greenbone AGOPENVAS:1361412562310900711HistoryMay 20, 2009 - 12:00 a.m.
Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability
2009-05-2000:00:00
Copyright (C) 2009 Greenbone AG
plugins.openvas.org
60
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
6.6 Medium
AI Score
Confidence
Low
0.953 High
EPSS
Percentile
99.4%
Microsoft IIS Webserver with WebDAV Module is prone to remote authentication bypass vulnerability.
# SPDX-FileCopyrightText: 2009 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:microsoft:internet_information_services";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.900711");
script_version("2023-10-10T05:05:41+0000");
script_tag(name:"last_modification", value:"2023-10-10 05:05:41 +0000 (Tue, 10 Oct 2023)");
script_tag(name:"creation_date", value:"2009-05-20 10:26:22 +0200 (Wed, 20 May 2009)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_cve_id("CVE-2009-1535");
script_name("Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2009 Greenbone AG");
script_family("Web Servers");
script_dependencies("gb_microsoft_iis_http_detect.nasl");
script_require_ports("Services/www", 80);
script_mandatory_keys("IIS/installed");
script_xref(name:"URL", value:"http://view.samurajdata.se/psview.php?id=023287d6&page=2");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/34993");
script_xref(name:"URL", value:"http://www.microsoft.com/technet/security/advisory/971492");
script_xref(name:"URL", value:"http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html");
script_xref(name:"URL", value:"http://downloads.securityfocus.com/vulnerabilities/exploits/34993.rb");
script_xref(name:"URL", value:"http://downloads.securityfocus.com/vulnerabilities/exploits/34993.txt");
script_tag(name:"impact", value:"Successful exploitation will let the attacker craft malicious UNICODE characters
and send it over the context of IIS Webserver where WebDAV is enabled. As a
result due to lack of security implementation check it will let the user fetch
password protected directories without any valid authentications.");
script_tag(name:"insight", value:"Due to the wrong implementation of UNICODE characters support (WebDAV extension)
for Microsoft IIS Server which fails to decode the requested URL properly.
Unicode character checks are being done after IIS Server internal security
check, which lets the attacker execute any crafted UNICODE character in the
HTTP requests to get information on any password protected directories without
any authentication schema.");
script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.
Workaround: Disable WebDAV or upgrade to Microsoft IIS 7.0.");
script_tag(name:"summary", value:"Microsoft IIS Webserver with WebDAV Module is prone to remote authentication bypass vulnerability.");
script_tag(name:"affected", value:"Microsoft Internet Information Services version 5.0 to 6.0.");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name:"URL", value:"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-020");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("version_func.inc");
include("host_details.inc");
if( ! port = get_app_port( cpe:CPE, service:"www" ) )
exit( 0 );
if( ! vers = get_app_version( cpe:CPE, port:port ) )
exit( 0 );
host = http_host_name( port:port );
# For IIS WebDAV Enabled servers "MS-Author-VIA" header should be present.
# "OPTIONS" HTTP Method fetches which HTTP methods are supported for your server.
request = string( "OPTIONS / HTTP/1.0 \r\n\r\n",
"Host: ", host, "\r\n" );
response = http_keepalive_send_recv( port:port, data:request, bodyonly:FALSE );
if( response !~ "^HTTP/1\.[01] 200" && "Server: Microsoft-IIS" >!< response ) {
request = string( "OPTIONS / HTTP/1.1 \r\n\r\n" );
response = http_keepalive_send_recv( port:port, data:request, bodyonly:FALSE );
if( response !~ "^HTTP/1\.[01] 200" && "Server: Microsoft-IIS" >!< response ) {
exit( 0 );
}
}
if( "MS-Author-Via: DAV" >!< response )
exit( 0 );
if( version_in_range( version:vers, test_version:"5.0", test_version2:"6.0" ) ) {
security_message( port:port );
exit( 0 );
}
exit( 99 );
References
blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
downloads.securityfocus.com/vulnerabilities/exploits/34993.rb
downloads.securityfocus.com/vulnerabilities/exploits/34993.txt
view.samurajdata.se/psview.php?id=023287d6&page=2
www.microsoft.com/technet/security/advisory/971492
www.securityfocus.com/bid/34993
docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-020
Related
cert
cert
Microsoft IIS WebDAV Remote Authentication Bypass
2009-05-19 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft IIS WebDAV Extension URL Decoding Security Bypass (CVE-2009-1535)
2009-05-19 00:00:00
nessus
nessus
cve
cve
cvelist
cvelist
CVE-2009-1122
2009-06-10 18:00:00
CVE-2009-1535
2009-06-10 14:00:00
prion
prion
Authentication flaw
2009-06-10 18:30:00
Authentication flaw
2009-06-10 14:30:00
nvd
nvd
openvas
openvas
Nmap NSE net: http-iis-webdav-vuln
2011-06-01 00:00:00
Nmap NSE net: http-iis-webdav-vuln
2011-06-01 00:00:00
Microsoft IIS Security Bypass Vulnerability (970483)
2009-06-10 00:00:00
securityvulns
securityvulns
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
6.6 Medium
AI Score
Confidence
Low
0.953 High
EPSS
Percentile
99.4%
Related for OPENVAS:1361412562310900711