[NT] Authentication Bypass in iisPROTECT

From: SecuriTeam (support_at_securiteam.com)
Date: 05/26/03

  • Next message: SecuriTeam: "[EXPL] WsMp3d Remote Exploit for Heap Overflow Vulnerability (CHA)"
    To: list@securiteam.com
    Date: 26 May 2003 11:44:26 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Authentication Bypass in iisPROTECT
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.iisprotect.com/> iisPROTECT is designed to provide password
    protection to web directories similar to the htaccess method utilized by
    the Apache Software Foundation's HTTP web server. A vulnerability in the
    product allows bypassing the protection mechanism.

    DETAILS

    Vulnerable systems:
     * iisPROTECT version 2.1 and 2.2

    Immune systems:
     * iisPROTECT version 2.2.0.9

    Upon successful installation and implementation of iisPROTECT, users will
    be presented with a login and password dialog box when attempting to
    access files contained in a protected directory.

    Consider the following example:
    http://iisprotected.example.com/protected/secret.html

    An attacker can bypass this authentication by simply requesting the same
    file through different URL-encoded representations. Examples of these
    include but are not limited to:
    http://iisprotected.example.com/%70rotected/secret.html
    http://iisprotected.example.com/protected%2fsecret.html

    Vendor timeline:
    12/31/2002 Issue disclosed to iDEFENSE
    04/16/2003 E-mail sent to info@iisprotect.com
    04/16/2003 Response received from David Fearn of iisPROTECT
    04/16/2003 Patch provided to iDEFENSE for verification
    05/22/2003 Coordinated public disclosure

    ADDITIONAL INFORMATION

    The original advisory can be viewed by going to:
     <http://www.idefense.com/advisory/05.22.03.txt>
    http://www.idefense.com/advisory/05.22.03.txt

    The information has been provided by <mailto:labs@idefense.com> iDEFENSE
    Labs.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] WsMp3d Remote Exploit for Heap Overflow Vulnerability (CHA)"

    Relevant Pages