WebDAV Authentication Bypass in Microsoft Internet Information Services
CVE-2009-1535

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 10 June 2009

What is CVE-2009-1535?

The WebDAV extension in Microsoft Internet Information Services (IIS) versions 5.1 and 6.0 is susceptible to an authentication bypass vulnerability. This flaw allows remote attackers to exploit URI-based protection mechanisms, enabling them to list directories and read, create, or modify files. By inserting the Unicode character %c0%af at various positions within a URI, malicious actors can circumvent directory password protections. This vulnerability underscores the need for careful handling of URI inputs in server configurations, specifically regarding WebDAV-enabled directories.

References

https://oval.cisecurity.org/repository/search/definition/...

vdb-entrysignaturex_refsource_OVAL

https://docs.microsoft.com/en-us/security-updates/securit...

vendor-advisoryx_refsource_MS

http://view.samurajdata.se/psview.php?id=023287d6&page=1

x_refsource_MISC

EPSS Score

91% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2009
Vulnerability Reserved
May 5, 2009