WebDAV Authentication Bypass in Microsoft Internet Information Services
CVE-2009-1535

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 10 June 2009

Summary

The WebDAV extension in Microsoft Internet Information Services (IIS) versions 5.1 and 6.0 is susceptible to an authentication bypass vulnerability. This flaw allows remote attackers to exploit URI-based protection mechanisms, enabling them to list directories and read, create, or modify files. By inserting the Unicode character %c0%af at various positions within a URI, malicious actors can circumvent directory password protections. This vulnerability underscores the need for careful handling of URI inputs in server configurations, specifically regarding WebDAV-enabled directories.

References

https://oval.cisecurity.org/repository/search/definition/...

vdb-entrysignaturex_refsource_OVAL

https://docs.microsoft.com/en-us/security-updates/securit...

vendor-advisoryx_refsource_MS

http://view.samurajdata.se/psview.php?id=023287d6&page=1

x_refsource_MISC

EPSS Score

91% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jun 10, 2009
Vulnerability Reserved
May 5, 2009