VeriSign, Inc.® US Home | Worldwide Sites | Site Map
Products & Services Solutions Support About VeriSign Login for existing VeriSign customers
You Are Here: US Home > VeriSign iDefense Security Intelligence Service > Current Intelligence > Vulnerability Advisories > 2003 > 05.22.03

Authentication Bypass in iisPROTECT

I. BACKGROUND

iisPROTECT is designed to provide password protection to web directories similar to the htaccess method utilized by the Apache Software Foundation's HTTP web server.  More information about iisPROTECT is available at http://www.iisprotect.com .

II. DESCRIPTION

Upon successful installation and implementation of iisPROTECT, users will be presented with a login and password dialog box when attempting to access files contained in a protected directory. Consider the following example:

http://iisprotected.example.com/protected/secret.html

An attacker can bypass this authentication by simply requesting the same file through different URL-encoded representations. Examples of these include but are not limited to:

http://iisprotected.example.com/%70rotected/secret.html
http://iisprotected.example.com/protected%2fsecret.html

III. ANALYSIS

Any remote attacker can exploit the above-described vulnerability to bypass the access control restrictions imposed by iisPROTECT, thereby exposing potentially sensitive files and information.

IV. DETECTION

iisPROTECT 2.1 and 2.2 are vulnerable. Previous versions may be vulnerable as well.

V. VENDOR FIX/RESPONSE

iisPROTECT has released version 2.2.0.9 to fix this vulnerability. The latest version is available at www.iisprotect.com .

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0317 to this issue.

VII. DISCLOSURE TIMELINE

12/31/2002  Issue disclosed to iDEFENSE
04/16/2003  E-mail sent to info@iisprotect.com
04/16/2003  Response received from David Fearn of iisPROTECT
04/16/2003  Patch provided to iDEFENSE for verification
05/22/2003  Coordinated public disclosure


Need more information?
Speak with a service representative at 650-426-5310 Request information online


Contact Us
Please contact sales at
650-426-5310 or
submit your inquiry online.
VeriSign iDefense Security Intelligence Service
Security Intelligence Service Levels
Alerts, Reports, and Briefings
Methodology
Research and Response Teams
Current Intelligence
Topical Research Reports
Vulnerability Advisories
Malicious Code Advisories
Information Center
Security Intelligence Webcasts
Proactive Security Intelligence
Intelligence for Patch Management
Early Threat Warning
Contact Us Careers Legal Notices Privacy Repository ©1995-2007 VeriSign, Inc. All rights reserved.
Products & Services  :  Solutions  :  Support  :  About VeriSign  :  Existing Customers
US Home  :  Worldwide Sites  :  Site Map  :  Search
VeriSign (Nasdaq: VRSN) operates intelligent infrastructure services that enable and protect billions of interactions across the world's voice and data networks. VeriSign offerings include SSL Certificates, two-factor authentication, identity protection, managed network security, public key infrastructure (PKI), security consulting, information management, as well as solutions for intelligent communications, commerce, and content. VeriSign is also building next-generation service offerings for emerging opportunities such as RFID-enabled supply chains, VoIP technology, and digital-content distribution over mobile and broadband networks.