iDEFENSE Security Advisory 2003-05-22.t

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
iDEFENSE Security Advisory 05.22.03:  
http://www.idefense.com/advisory/05.22.03.txt  
Authentication Bypass in iisPROTECT  
May 22, 2003  
  
I. BACKGROUND  
  
iisPROTECT is designed to provide password protection to web  
directories similar to the htaccess method utilized by the Apache  
Software Foundation's HTTP web server. More information about  
iisPROTECT is available at http://www.iisprotect.com .  
  
II. DESCRIPTION  
  
Upon successful installation and implementation of iisPROTECT, users  
will be presented with a login and password dialog box when  
attempting to access files contained in a protected directory.  
Consider the following example:  
  
http://iisprotected.example.com/protected/secret.html  
  
An attacker can bypass this authentication by simply requesting the  
same file through different URL-encoded representations. Examples of  
these include but are not limited to:  
  
http://iisprotected.example.com/%70rotected/secret.html  
http://iisprotected.example.com/protected%2fsecret.html  
  
III. ANALYSIS  
  
Any remote attacker can exploit the above-described vulnerability to  
bypass the access control restrictions imposed by iisPROTECT, thereby  
exposing potentially sensitive files and information.  
  
IV. DETECTION  
  
iisPROTECT 2.1 and 2.2 are vulnerable. Previous versions may be  
vulnerable as well.  
  
V. VENDOR FIX/RESPONSE  
  
iisPROTECT has released version 2.2.0.9 to fix this vulnerability.  
The latest version is available at www.iisprotect.com .  
  
VI. CVE INFORMATION  
  
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project  
has assigned the identification number CAN-2003-0317 to this issue.  
  
VII. DISCLOSURE TIMELINE  
  
12/31/2002 Issue disclosed to iDEFENSE  
04/16/2003 E-mail sent to [email protected]  
04/16/2003 Response received from David Fearn of iisPROTECT  
04/16/2003 Patch provided to iDEFENSE for verification  
05/22/2003 Coordinated public disclosure  
  
  
Get paid for security research  
http://www.idefense.com/contributor.html  
  
Subscribe to iDEFENSE Advisories:  
send email to [email protected], subject line: "subscribe"  
  
  
About iDEFENSE:  
  
iDEFENSE is a global security intelligence company that proactively  
monitors sources throughout the world — from technical  
vulnerabilities and hacker profiling to the global spread of viruses  
and other malicious code. Our security intelligence services provide   
decision-makers, frontline security professionals and network   
administrators with timely access to actionable intelligence and  
decision support on cyber-related threats. For more information,  
visit http://www.idefense.com .  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.0  
  
iQA/AwUBPs0sI/rkky7kqW5PEQJ11gCdHgUEgy8TT+Lr/t/tef6BYG4FisQAnR4k  
pNS6K6Zfcoq+2VAn0Tezj/rC  
=pkHC  
-----END PGP SIGNATURE-----  
  
`