Home / bulletins

MS09-020 - Important: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Version:1.1

Posted on 01 August 2009

Important

Severity Rating: Important - Revision Note: V1.1 (June 17, 2009): Expanded on the "What causes the vulnerability?" FAQ entries for CVE-2009-1122 and CVE-2009-1535. This is an informational change only.Summary: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication. These vulnerabilities allow an attacker to bypass the IIS configuration that specifies which type of authentication is allowed, but not the file system-based access control list (ACL) check that verifies whether a file is accessible by a given user. Successful exploitation of these vulnerabilities would still restrict the attacker to the permissions granted to the anonymous user account by the file system ACLs.

Link

Other versions

 

TOP