[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OOB] CAN-2000-0884 - IIS Unicode

To: cve-editorial-board-list@lists.mitre.org
Subject: [OOB] CAN-2000-0884 - IIS Unicode
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Thu, 26 Oct 2000 15:04:33 -0400 (EDT)
Delivery-Date: Thu Oct 26 15:09:17 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org

The IIS Unicode problem (MS:MS00-078) has received a lot of attention
lately.  It has been assigned CAN-2000-0884.

This out-of-band candidate is being posted to the Editorial Board list
so that candidate numbers can be made available as soon as possible
for the most serious security issues.  It will also be posted on the
CVE web site.  As a reminder, Board members can request out-of-band
candidates for recently publicized security issues that have a broad
effect.

This out-of-band candidate is *not* being proposed for votes at this
time.  It will be included in the next round of RECENT-XX clusters.

- Steve



Candidate: CAN-2000-0884
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0884
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20001019
Category: SF
Reference: BUGTRAQ:20001017 IIS %c1%1c remote command execution
Reference: MS:MS00-078
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

IIS 4.0 and 5.0 allows remote attackers to read documents outside of
the web root, and possibly execute arbitrary commands, via malformed
URLs that contain UNICODE encoded characters, aka the "Web Server
Folder Traversal" vulnerability.

Prev by Date: Fwd: FYI on COE Treaty
Next by Date: [CVEPRI] Future Directions for CVE
Prev by thread: Fwd: FYI on COE Treaty
Next by thread: [CVEPRI] Future Directions for CVE
Index(es):
- Date
- Thread