Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability

Due to an error in canonicalization affecting CGI scripts and ISAPI extensions, incorrect permissions may be set for a given file on a web server following a malformed HTTP request. This will allow a user to perform actions on CGI or ISAPI-mapped files, including reading or executing, which would normally be denied. This does not apply to files in virtual folders.The correct file is located, but is concluded to be in a location different from its actual folder. Depending on the exact nature of the malformed URL, the file may inherit the permissions of any parent folder in the file's path.


Privacy Statement
Copyright 2010, SecurityFocus