IIS 8.0 and 8.5 Wildcard Rule Processing Flaw in Microsoft's HTTP Server
CVE-2014-4078

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 11 November 2014

Summary

The IP Security feature in Microsoft Internet Information Services (IIS) versions 8.0 and 8.5 is susceptible to a bypass due to improper processing of wildcard allow and deny rules. This vulnerability allows attackers to exploit the 'IP Address and Domain Restrictions' feature, enabling them to send crafted HTTP requests that circumvent the intended security rules. As a result, unauthorized access may be gained, exposing the server to potential attacks. Proper configuration and patching are essential to mitigate this risk.

References

https://docs.microsoft.com/en-us/security-updates/securit...

vendor-advisoryx_refsource_MS

http://www.securityfocus.com/bid/70937

vdb-entryx_refsource_BID

http://www.securitytracker.com/id/1031194

vdb-entryx_refsource_SECTRACK

EPSS Score

9% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Nov 11, 2014
Vulnerability Reserved
Jun 12, 2014