Authentication Bypass Vulnerability in Microsoft IIS Web Server 5.0
CVE-2007-2815

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 22 May 2007

Summary

The 'hit-highlighting' function in webhits.dll of Microsoft IIS Web Server 5.0 is susceptible to an authentication bypass issue. This vulnerability allows remote attackers to circumvent NTLM and basic authentication mechanisms, granting unauthorized access to private web directories. The flaw arises from improper use of Windows NT ACL (Access Control List) configuration, particularly through manipulation of the CiWebhitsfile parameter. Attackers can exploit this vulnerability to access restricted content, potentially leading to data exposure.

References

http://osvdb.org/41091

vdb-entryx_refsource_OSVDB

http://securityreason.com/securityalert/2725

third-party-advisoryx_refsource_SREASON

http://www.securityfocus.com/archive/1/469238/100/0/threaded

mailing-listx_refsource_BUGTRAQ

EPSS Score

87% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
May 22, 2007
Vulnerability Reserved
May 22, 2007