Bildiri Sürümü: |
- |
Açıklanma Zamanı: |
24.12.2009 |
Yenilenme Zamanı: |
31.12.2009 |
Etkilenen Sistemler: |
Microsoft IIS 6.0 + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition Microsoft IIS 5.1 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server + Microsoft Windows XP 64-bit Edition SP1 + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP 64-bit Edition - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows XP Home + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Professional + Microsoft Windows XP Professional Microsoft IIS 5.0 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server Microsoft IIS 4.0 + Cisco Building Broadband Service Manager 5.0 + Cisco Building Broadband Service Manager 5.0 + Cisco Call Manager 3.0 + Cisco Call Manager 3.0 + Cisco Call Manager 2.0 + Cisco Call Manager 2.0 + Cisco Call Manager 1.0 + Cisco Call Manager 1.0 + Cisco ICS 7750 + Cisco ICS 7750 + Cisco IP/VC 3540 Video Rate Matching Module + Cisco IP/VC 3540 Video Rate Matching Module + Cisco Unity Server 2.4 + Cisco Unity Server 2.4 + Cisco Unity Server 2.3 + Cisco Unity Server 2.3 + Cisco Unity Server 2.2 + Cisco Unity Server 2.2 + Cisco Unity Server 2.0 + Cisco Unity Server 2.0 + Cisco uOne 4.0 + Cisco uOne 4.0 + Cisco uOne 3.0 + Cisco uOne 3.0 + Cisco uOne 2.0 + Cisco uOne 2.0 + Cisco uOne 1.0 + Cisco uOne 1.0 + Microsoft BackOffice 4.5 + Microsoft BackOffice 4.5 + Microsoft BackOffice 4.0 + Microsoft BackOffice 4.0 + Microsoft Windows NT 4.0 Option Pack + Microsoft Windows NT 4.0 Option Pack Microsoft IIS 3.0 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0 Microsoft IIS 2.0 + Microsoft Windows NT 4.0 + Microsoft Windows NT 4.0 Microsoft IIS 1.0 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0 |
|
CVE: |
CVE-2009-4444 CVE-2009-4445 |
BID: |
37460 |
Referanslar: |
Soroush Dalili: http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf Microsoft:
http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx
|
Yazar(lar): |
Soroush Dalili |
|
Açıklama: |
Microsoft Internet Information Services (IIS) üzerinde güvenlik denetimlerini atlatma açıklığı tespit edilmiştir. Açıklık bilinçli olarak hazırlanmış, çoklu uzantıları ";" simgesi ile birleştirerek içeren dosyaların ASP motorunda işlenmesiyle oluşmaktadır. Açıklığın orta dereceli nitelendirilmesinin sebebi açıklığın Microsoft'un önerdiği en iyi IIS pratikleri dışında konfigüre edilmiş sunucularda gerçekleşebilmesidir. Varsayılan kurulumda sorun yaşanmamaktadır. |
Etki: |
Güvenlik denetimlerini atlatma |
Çözüm: |
Güncelleme yayınlanmamıştır. Çözüm olarak 1- Dosya yükleme özelliğini belirli kullanıcılarla kısıtlamalı 2- Dosya yüklenmiş klasörlerde yürütme hakkını almalıdır. |
Kaynak : http://www.bilgiguvenligi.gov.tr/guvenlik-bildirileri-kategorisi/microsoft-iis-bircok-uzanti-icin-guvenlik-atlatma-acikligi.html
4d6ecf37-022d-4e83-a469-751a1f8be69e|0|.0