Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Microsoft IIS WebDAV authentication bypass - Vulnerability Database

Microsoft IIS WebDAV authentication bypass

Description

A privilege escalation vulnerability exists in Microsoft IIS servers with the WebDAV extension enabled. The vulnerability allows unauthenticated attackers to bypass authentication mechanisms by sending specially crafted HTTP requests with malformed headers. This enables unauthorized access to protected resources that should require valid credentials, effectively circumventing the intended security controls.

Remediation

Primary Solution: Apply Security Updates

Install the official security patch from Microsoft as soon as possible. Refer to Microsoft Security Advisory 971492 for the appropriate update for your IIS version.

Workaround #1: Disable WebDAV Extension

If WebDAV functionality is not required, disable it entirely to eliminate the attack vector:
1. Open IIS Manager
2. Select the affected website or server
3. Navigate to WebDAV Authoring Rules
4. Click "Disable WebDAV" in the Actions pane
5. Restart IIS using iisreset

Additional guidance: http://support.microsoft.com/kb/241520

Workaround #2: Restrict NTFS Filesystem Permissions

Implement defense-in-depth by denying filesystem access to the anonymous IIS account:
1. Identify protected directories containing sensitive content
2. Right-click the directory and select Properties > Security tab
3. Explicitly deny Read permissions to IUSR_[MachineName] and IUSR accounts
4. Verify that only authenticated user accounts have access

This ensures that even if IIS authentication is bypassed, the filesystem will block unauthorized access. Reference: http://support.microsoft.com/kb/271071

Workaround #3: Deploy URLScan ISAPI Filter

Configure URLScan to block malicious request patterns:
1. Download and install URLScan from Microsoft
2. Edit URLScan.ini to add restrictive rules for WebDAV verbs
3. Block suspicious header patterns associated with the exploit
4. Test thoroughly to ensure legitimate WebDAV operations still function

Deployment guide: http://technet.microsoft.com/en-us/security/cc242650.aspx

Verification: After implementing any workaround, test that authentication cannot be bypassed by attempting to access protected resources anonymously.

References

Microsoft Security Advisory (971492) - Vulnerability in Internet Information Services Could Allow Elevation of Privilege
More information about the IIS authentication bypass

Related Vulnerabilities

Case-Insensitive Routing Bypass in Express.js Application High
Common tags: Authentication Bypass Configuration
Joomla! Core Security Bypass High
Common tags: Authentication Bypass Configuration
HTTP verb tampering via POST High
Common tags: Authentication Bypass Configuration
JAAS authentication bypass High
Common tags: Authentication Bypass Configuration
Adobe ColdFusion 9 administrative login bypass High
Common tags: Authentication Bypass Configuration

Severity

High

Classification

CVE-2009-1535
CWE-287
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Authentication Bypass
Configuration