[VulnWatch] iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT

From: iDEFENSE Labs (labs_at_idefense.com)
Date: 05/22/03

  • Next message: Peter Winter-Smith: "[VulnWatch] P-News 1.16 Admin Access Vulnerability"
    To: vulnwatch@vulnwatch.org
    Date: Thu, 22 May 2003 16:12:01 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 05.22.03:
    http://www.idefense.com/advisory/05.22.03.txt
    Authentication Bypass in iisPROTECT
    May 22, 2003

    I. BACKGROUND

    iisPROTECT is designed to provide password protection to web
    directories similar to the htaccess method utilized by the Apache
    Software Foundation's HTTP web server. More information about
    iisPROTECT is available at http://www.iisprotect.com .

    II. DESCRIPTION

    Upon successful installation and implementation of iisPROTECT, users
    will be presented with a login and password dialog box when
    attempting to access files contained in a protected directory.
    Consider the following example:

    http://iisprotected.example.com/protected/secret.html

    An attacker can bypass this authentication by simply requesting the
    same file through different URL-encoded representations. Examples of
    these include but are not limited to:

    http://iisprotected.example.com/%70rotected/secret.html
    http://iisprotected.example.com/protected%2fsecret.html

    III. ANALYSIS

    Any remote attacker can exploit the above-described vulnerability to
    bypass the access control restrictions imposed by iisPROTECT, thereby
    exposing potentially sensitive files and information.

    IV. DETECTION

    iisPROTECT 2.1 and 2.2 are vulnerable. Previous versions may be
    vulnerable as well.

    V. VENDOR FIX/RESPONSE

    iisPROTECT has released version 2.2.0.9 to fix this vulnerability.
    The latest version is available at www.iisprotect.com .

    VI. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2003-0317 to this issue.

    VII. DISCLOSURE TIMELINE

    12/31/2002 Issue disclosed to iDEFENSE
    04/16/2003 E-mail sent to info@iisprotect.com
    04/16/2003 Response received from David Fearn of iisPROTECT
    04/16/2003 Patch provided to iDEFENSE for verification
    05/22/2003 Coordinated public disclosure

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence and
    decision support on cyber-related threats. For more information,
    visit http://www.idefense.com .

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPs0sI/rkky7kqW5PEQJ11gCdHgUEgy8TT+Lr/t/tef6BYG4FisQAnR4k
    pNS6K6Zfcoq+2VAn0Tezj/rC
    =pkHC
    -----END PGP SIGNATURE-----


  • Next message: Peter Winter-Smith: "[VulnWatch] P-News 1.16 Admin Access Vulnerability"

    Relevant Pages