Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | |||
Test ID: | 1.3.6.1.4.1.25623.1.0.104020 |
Category: | Nmap NSE net |
Title: | Nmap NSE net: http-iis-webdav-vuln |
Summary: | Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV;folders by searching for a password-protected folder and attempting to access it. This vulnerability;was patched in Microsoft Security Bulletin MS09-020.;;A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an;authentication request (401), another attempt is tried with the malicious encoding. If that attempt;returns a successful result (207), then the folder is marked as vulnerable.;;This script is based on the Metasploit;modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module.;;For more information on this vulnerability and script see the references.;;SYNTAX:;;http.pipeline: If set, it represents the number of HTTP requests that'll be;pipelined (ie, sent in a single request). This can be set low to make;debugging easier, or it can be set high to test how a server reacts (its;chosen max is ignored).;;basefolder: The folder to start in, eg. ''/web'' will try ''/web/xxx''.;;folderdb: The filename of an alternate list of folders.;;http-max-cache-size: The maximum memory size (in bytes) of the cache.;;webdavfolder: Selects a single folder to use, instead of using a built-in list. |
Description: | Summary: Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020. A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable. This script is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module. For more information on this vulnerability and script see the references. SYNTAX: http.pipeline: If set, it represents the number of HTTP requests that'll be pipelined (ie, sent in a single request). This can be set low to make debugging easier, or it can be set high to test how a server reacts (its chosen max is ignored). basefolder: The folder to start in, eg. ''/web'' will try ''/web/xxx''. folderdb: The filename of an alternate list of folders. http-max-cache-size: The maximum memory size (in bytes) of the cache. webdavfolder: Selects a single folder to use, instead of using a built-in list. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
Cross-Ref: |
BugTraq ID: 35232 Common Vulnerability Exposure (CVE) ID: CVE-2009-1122 http://www.securityfocus.com/bid/35232 Cert/CC Advisory: TA09-160A http://www.us-cert.gov/cas/techalerts/TA09-160A.html Microsoft Security Bulletin: MS09-020 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-020 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5861 http://www.securitytracker.com/id?1022358 http://www.attrition.org/pipermail/vim/2009-June/002192.html http://www.vupen.com/english/advisories/2009/1539 Common Vulnerability Exposure (CVE) ID: CVE-2009-1535 http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0135.html http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0139.html http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0144.html http://archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdf http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html http://isc.sans.org/diary.html?n&storyid=6397 http://view.samurajdata.se/psview.php?id=023287d6&page=1 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6029 |
Copyright | Copyright (C) 2011 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH |
This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |