| VID |
22104 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
When IIS receives a user request to run a script, it performs a decoding pass on the request. The request string is decoded into canonical form and numerous security checks are performed to ensure the request is valid. A second decoding routine is run on the request to parse the parameters after the filename. IIS mistakenly parses the filename again with these additional parameters. This flaw allows specially crafted requests which include ".." and "/" characters to bypass security checks, and also allows an attacker to execute arbitrary commands on the IIS Server.
This vulnerability is very similar to the IIS Unicode Translation Vulnerability before. As
with the Unicode vulnerability, this is a variation of the common "dot dot" directory traversal attack. These attacks have allowed attackers to navigate the file system or execute commands at will. IIS and most current Web servers have incorporated security measures to prevent the "dot dot" attack. The Unicode vulnerability was a result of improper handling of Unicode encoded ".." and "/" characters. This new vulnerability exploits another flaw in the IIS encoding mechanism that allows a similar result.
* References:
http://www.microsoft.com/technet/security/bulletin/ms01-026.asp
http://marc.theaimsgroup.com/?l=bugtraq&m=98992056521300&w=2 |
| Recommendation |
Upgrade to IIS of at least 6.0 |
| Related URL |
CVE-2001-0333 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
