Implementation Flaw with Microsoft WebDAV

Reported April 18, 2001, by Microsoft.

VERSIONS AFFECTED

 

  • Microsoft Windows 2000, Windows NT, Windows Me, and Windows 9x

 

DESCRIPTION

A flaw with Microsoft’s implementation of WWW Distributed Authoring and Versioning (WebDAV) runs the script under the user’s security context. WebDAV should make a distinction between a user's request and script that a Web Browser runs, but Microsoft WebDAV does not differentiate the two. An attacker can use this flaw to browse the user’s intranet or access Web-based email if the attacker knows certain variables, such as server names, folder structures, and specific user and network information.

 

 

VENDOR RESPONSE

 

Microsoft has issued security bulletin MS01-022 to address this vulnerability, and has also issued a hotfix that changes the WebDAV implementation to correctly process these scripts.

 

CREDIT


Discovered by Microsoft.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish