The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.
Published 2009-06-10 14:30:00
Updated 2020-11-23 20:01:01
View at NVD,   CVE.org
Vulnerability category: BypassGain privilege

Products affected by CVE-2009-1535

Exploit prediction scoring system (EPSS) score for CVE-2009-1535

95.55%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2009-1535

  • MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
    First seen: 2020-04-26
    auxiliary/scanner/http/dir_webdav_unicode_bypass
    This module is based on et's HTTP Directory Scanner module, with one exception. Where authentication is required, it attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable
  • MS09-020 IIS6 WebDAV Unicode Authentication Bypass
    First seen: 2020-04-26
    auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
    This module attempts to to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM

CVSS scores for CVE-2009-1535

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
NIST

CWE ids for CVE-2009-1535

  • When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
    Assigned by: nvd@nist.gov (Primary)
Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!