// back

Authentication Bypass in iisPROTECT

05.22.03

BACKGROUND

iisPROTECT is designed to provide password protection to web directories similar to the htaccess method utilized by the Apache Software Foundation's HTTP web server.  More information about iisPROTECT is available at http://www.iisprotect.com .

DESCRIPTION

Upon successful installation and implementation of iisPROTECT, users will be presented with a login and password dialog box when attempting to access files contained in a protected directory. Consider the following example:

http://iisprotected.example.com/protected/secret.html

An attacker can bypass this authentication by simply requesting the same file through different URL-encoded representations. Examples of these include but are not limited to:

http://iisprotected.example.com/%70rotected/secret.html
http://iisprotected.example.com/protected%2fsecret.html

ANALYSIS

Any remote attacker can exploit the above-described vulnerability to bypass the access control restrictions imposed by iisPROTECT, thereby exposing potentially sensitive files and information.

DETECTION

iisPROTECT 2.1 and 2.2 are vulnerable. Previous versions may be vulnerable as well.

VENDOR RESPONSE

iisPROTECT has released version 2.2.0.9 to fix this vulnerability. The latest version is available at www.iisprotect.com .

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0317 to this issue.

DISCLOSURE TIMELINE

12/31/2002   Issue disclosed to iDEFENSE
04/16/2003   E-mail sent to info@iisprotect.com
04/16/2003   Response received from David Fearn of iisPROTECT
04/16/2003   Patch provided to iDEFENSE for verification
05/22/2003   Coordinated public disclosure