Remote Code Execution Vulnerability in Microsoft Internet Information Services
CVE-2003-1567

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 15 January 2009

Summary

The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 poses a significant risk as it returns the content of the original request within the response body. This allows remote attackers to exploit the method to steal sensitive cookies and authentication credentials, effectively bypassing HttpOnly protections. Furthermore, this vulnerability operates similarly to cross-site tracing (XST) attacks, wherein attackers can read the contents of the HTTP headers returned in the response, thereby compromising the security of users accessing web applications hosted on affected IIS versions.

References

http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/...

mailing-listx_refsource_NTBUGTRAQ

http://www.kb.cert.org/vuls/id/288308

third-party-advisoryx_refsource_CERT-VN

http://www.aqtronix.com/Advisories/AQ-2003-02.txt

x_refsource_MISC

EPSS Score

82% chance of being exploited in the next 30 days.

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jan 15, 2009