-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 05.22.03: http://www.idefense.com/advisory/05.22.03.txt Authentication Bypass in iisPROTECT May 22, 2003 I. BACKGROUND iisPROTECT is designed to provide password protection to web directories similar to the htaccess method utilized by the Apache Software Foundation's HTTP web server. More information about iisPROTECT is available at http://www.iisprotect.com . II. DESCRIPTION Upon successful installation and implementation of iisPROTECT, users will be presented with a login and password dialog box when attempting to access files contained in a protected directory. Consider the following example: http://iisprotected.example.com/protected/secret.html An attacker can bypass this authentication by simply requesting the same file through different URL-encoded representations. Examples of these include but are not limited to: http://iisprotected.example.com/%70rotected/secret.html http://iisprotected.example.com/protected%2fsecret.html III. ANALYSIS Any remote attacker can exploit the above-described vulnerability to bypass the access control restrictions imposed by iisPROTECT, thereby exposing potentially sensitive files and information. IV. DETECTION iisPROTECT 2.1 and 2.2 are vulnerable. Previous versions may be vulnerable as well. V. VENDOR FIX/RESPONSE iisPROTECT has released version 2.2.0.9 to fix this vulnerability. The latest version is available at www.iisprotect.com . VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0317 to this issue. VII. DISCLOSURE TIMELINE 12/31/2002 Issue disclosed to iDEFENSE 04/16/2003 E-mail sent to info@iisprotect.com 04/16/2003 Response received from David Fearn of iisPROTECT 04/16/2003 Patch provided to iDEFENSE for verification 05/22/2003 Coordinated public disclosure Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPs0sI/rkky7kqW5PEQJ11gCdHgUEgy8TT+Lr/t/tef6BYG4FisQAnR4k pNS6K6Zfcoq+2VAn0Tezj/rC =pkHC -----END PGP SIGNATURE-----