[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OOB] CAN-2000-0884 - IIS Unicode

The IIS Unicode problem (MS:MS00-078) has received a lot of attention
lately.  It has been assigned CAN-2000-0884.

This out-of-band candidate is being posted to the Editorial Board list
so that candidate numbers can be made available as soon as possible
for the most serious security issues.  It will also be posted on the
CVE web site.  As a reminder, Board members can request out-of-band
candidates for recently publicized security issues that have a broad

This out-of-band candidate is *not* being proposed for votes at this
time.  It will be included in the next round of RECENT-XX clusters.

- Steve

Candidate: CAN-2000-0884
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0884
Assigned: 20001019
Category: SF
Reference: BUGTRAQ:20001017 IIS %c1%1c remote command execution
Reference: MS:MS00-078
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

IIS 4.0 and 5.0 allows remote attackers to read documents outside of
the web root, and possibly execute arbitrary commands, via malformed
URLs that contain UNICODE encoded characters, aka the "Web Server
Folder Traversal" vulnerability.

Page Last Updated or Reviewed: May 22, 2007