Unrated severityNVD Advisory· Published Jun 10, 2009· Updated Apr 23, 2026
CVE-2009-1535
CVE-2009-1535
Description
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.
Affected products
2cpe:2.3:a:microsoft:internet_information_services:5.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:microsoft:internet_information_services:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_information_services:6.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-020nvdPatchVendor Advisory
- blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.htmlnvdThird Party Advisory
- isc.sans.org/diary.htmlnvdThird Party Advisory
- www.attrition.org/pipermail/vim/2009-June/002192.htmlnvdThird Party Advisory
- www.us-cert.gov/cas/techalerts/TA09-160A.htmlnvdThird Party AdvisoryUS Government Resource
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6029nvdThird Party Advisory
- archives.neohapsis.com/archives/fulldisclosure/2009-05/0135.htmlnvdBroken Link
- archives.neohapsis.com/archives/fulldisclosure/2009-05/0139.htmlnvdBroken Link
- archives.neohapsis.com/archives/fulldisclosure/2009-05/0144.htmlnvdBroken Link
- archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdfnvdBroken Link
- view.samurajdata.se/psview.phpnvdBroken Link
News mentions
0No linked articles in our index yet.