Reported August 9, 2000 by Burt Abreu and Søren Skov of VBExplorer.com
- Microsoft Internet Information Server 4.x
An error in IIS canoncalization could allow a user to gain elevated priveleges to specific files under particular circumstances. By using a specifically crafted URL, permission to access a specfic file would be determined by the permissions applied to a directory in the file's parent chain instead of the file's actual resident directory permissions.
Microsoft's bulletin points out that this problem only affects scripts and file types that are implemented via ISAPI extensions. In addition, the problem only affects IIS when virtual paths mirror actual physical directory paths.
Discovered by Burt Abreu and Søren Skov of VBExplorer.com