Sign-up

ID

VAR-200905-0134


CVE

CVE-2009-1676


TITLE

Microsoft IIS WebDAV Unicode Request to bypass authentication vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200905-237

DESCRIPTION

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1535. Reason: This candidate is a duplicate of CVE-2009-1535. Notes: All CVE users should reference CVE-2009-1535 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Microsoft Internet Information Service (IIS) is prone to multiple authentication-bypass vulnerabilities because the application fails to properly enforce access restrictions on certain requests to password-protected WebDAV folders. An attacker can exploit these issues to gain unauthorized access to protected WebDAV resources, which may lead to other attacks. This issue affects IIS 5.0, 5.1, and 6.0

Trust: 1.26

sources: NVD: CVE-2009-1676 // BID: 34993 // VULMON: CVE-2009-1676

AFFECTED PRODUCTS

vendor:microsoftmodel:iisscope:eqversion:6.0

Trust: 0.3

vendor:microsoftmodel:iisscope:eqversion:5.1

Trust: 0.3

vendor:microsoftmodel:iisscope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:messaging application server mmscope:eqversion:3.1

Trust: 0.3

vendor:avayamodel:messaging application server mmscope:eqversion:3.0

Trust: 0.3

vendor:avayamodel:messaging application server mmscope:eqversion:2.0

Trust: 0.3

vendor:avayamodel:messaging application server mmscope:eqversion:1.1

Trust: 0.3

vendor:avayamodel:messaging application serverscope:eqversion:0

Trust: 0.3

vendor:microsoftmodel:iisscope:neversion:7.0

Trust: 0.3

sources: BID: 34993

CVSS

SEVERITY

CVSSV2

CVSSV3

CNNVD: CNNVD-200905-237
value: LOW

Trust: 0.6

sources: CNNVD: CNNVD-200905-237

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200905-237

TYPE

unknown

Trust: 0.6

sources: CNNVD: CNNVD-200905-237

EXPLOIT AVAILABILITY

sources:
            
            
            VULMON: CVE-2009-1676

PATCH
title: - url:https://github.com/l4ncelotcoder/Webdav 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2009-1676

EXTERNAL IDS
db:NVDid:CVE-2009-1676
Trust: 2.0
db:CNNVDid:CNNVD-200905-237
Trust: 0.6
db:BIDid:34993
Trust: 0.4
db:CERT/CCid:VU#787932
Trust: 0.3
db:EXPLOIT-DBid:8704
Trust: 0.1
db:VULMONid:CVE-2009-1676
Trust: 0.1
sources:
            
            
            VULMON: CVE-2009-1676 // 
            
            
            
            BID: 34993 // 
            
            
            
            CNNVD: CNNVD-200905-237 // 
            
            
            
            NVD: CVE-2009-1676

REFERENCES
url:http://blogs.technet.com/srd/archive/2009/05/20/answers-to-the-iis-webdav-authentication-bypass-questions.aspx
Trust: 0.3
url:http://blog.zoller.lu/2009/05/iis-6-webdav-unicode-bug-that-wont-die.html
Trust: 0.3
url:http://milw0rm.com/sploits/2009-iis-advisory.pdf
Trust: 0.3
url:http://www.microsoft.com/windowsserver2003/iis/default.mspx
Trust: 0.3
url:http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx
Trust: 0.3
url:http://technet.microsoft.com/en-us/security/cc242650.aspx
Trust: 0.3
url:http://www.skullsecurity.org/blog/?p=285
Trust: 0.3
url:/archive/1/503857
Trust: 0.3
url:http://support.avaya.com/elmodocs2/security/asa-2009-215.htm
Trust: 0.3
url:http://www.microsoft.com/technet/security/advisory/971492.mspx
Trust: 0.3
url:http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx
Trust: 0.3
url:http://www.kb.cert.org/vuls/id/787932
Trust: 0.3
url:https://github.com/l4ncelotcoder/webdav
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.securityfocus.com/bid/34993
Trust: 0.1
url:https://www.exploit-db.com/exploits/8704/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2009-1676 // 
            
            
            
            BID: 34993

CREDITS
Kingcope  kingcope@gmx.net
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200905-237

SOURCES
db:VULMONid:CVE-2009-1676
db:BIDid:34993
db:CNNVDid:CNNVD-200905-237
db:NVDid:CVE-2009-1676

LAST UPDATE DATE
2024-08-14T12:22:58.961000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2009-1676date:2009-06-12T00:00:00
db:BIDid:34993date:2009-06-18T16:49:00
db:CNNVDid:CNNVD-200905-237date:2009-06-12T00:00:00
db:NVDid:CVE-2009-1676date:2023-11-07T02:03:58.533

SOURCES RELEASE DATE
db:VULMONid:CVE-2009-1676date:2009-05-18T00:00:00
db:BIDid:34993date:2009-05-15T00:00:00
db:CNNVDid:CNNVD-200905-237date:2009-05-18T00:00:00
db:NVDid:CVE-2009-1676date:2009-05-18T18:30:01.127