Reported May 18, 2001, by Alliance Security Labs.

VERSION AFFECTED

  • eEye Digital Security SecureIIS 1.0.2 for Microsoft Internet Information Server 4.0 and Microsoft Internet Information Services 5.0

DESCRIPTION
Multiple vulnerabilities exist in eEye’s SecureIIS 1.0.2. The first vulnerability involves the keyword-checking feature—SecureIIS fails to decode escaped characters in a request's query, which can lead to information disclosure. The second involves a directory traversal vulnerability that lets an attacker break out of the Web root directory. The third vulnerability involves a buffer overrun condition caused by the way that SecureIIS processes HTTP header and large-character requests.

 


 

VENDOR RESPONSE

Marc Maiffret of eEye issued this statement:

 

"The 'bugs' found in SecureIIS were mostly bugs that would affect third-party Web scripts and not IIS-specific vulnerabilities. SecureIIS was and is still protecting customers from IIS vulnerabilities, and the bugs that were found in no way could be used to bypass SecureIIS in its protection from IIS vulnerabilities, because SecureIIS has a multi-layer security system so even if an attacker gets past the first layer, they will be denied at the second layer, etc.… However, since there was the potential for the bugs to cause some problems we took the issue seriously and released an updated patched version of SecureIIS the same day that the bugs were discovered."

 

The vendor, eEye Digital Security, recommends that users upgrade to version 1.0.5, which addresses these vulnerabilities.

 

CREDIT
Discovered by Alliance Security Labs.