CVE-2009-1122

Microsoft Internet Information Services - Authentication Bypass

Title source: rule

Description

The WebDAV extension in Microsoft Internet Information Services (IIS) 5.0 on Windows 2000 SP4 does not properly decode URLs, which allows remote attackers to bypass authentication, and possibly read or create files, via a crafted HTTP request, aka "IIS 5.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1535.

Exploits (1)

exploitdb WORKING POC VERIFIED

by ka0x · perlremotewindows

https://www.exploit-db.com/exploits/8806

View Code ZIP pw:eip

References (7)

[Third Party Advisory] http://www.attrition.org/pipermail/vim/2009-June/002192.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/35232

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1022358

[Third Party Advisory, US Government Resource] http://www.us-cert.gov/cas/techalerts/TA09-160A.html

[Third Party Advisory] http://www.vupen.com/english/advisories/2009/1539

[Patch, Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-020

[Third Party Advisory] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5861

Scores

EPSS 0.9234

EPSS Percentile 99.7%

Classification

CWE

CWE-287

Status draft

Affected Products (1)

microsoft/internet_information_services

Timeline

Published Jun 10, 2009

Tracked Since Feb 18, 2026