CVE-2007-2815
Microsoft IIS 5.1 - Hit Highlighting Authentication Bypass
Severity Score
10.0
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The "hit-highlighting" functionality in webhits.dll in Microsoft Internet Information Services (IIS) Web Server 5.0 only uses Windows NT ACL configuration, which allows remote attackers to bypass NTLM and basic authentication mechanisms and access private web directories via the CiWebhitsfile parameter to null.htw.
La funcionalidad "hit-highlighting" en la biblioteca webhits.dll en el Servidor web versión 5.0 de Internet Information Services (IIS) de Microsoft solo usa la configuración ACL de Windows NT, lo que permite a los atacantes remotos omitir los mecanismos de autenticación básicos y NTLM y acceder a los directorios web privados por medio del parámetro CiWebhitsfile en null.htw.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2007-05-22 CVE Reserved
- 2007-05-22 CVE Published
- 2007-05-31 First Exploit
- 2024-08-07 CVE Updated
- 2024-08-25 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| http://osvdb.org/41091 | Vdb Entry | |
| http://securityreason.com/securityalert/2725 | Third Party Advisory | |
| http://www.securityfocus.com/archive/1/469238/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/24105 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/4016 | 2007-05-31 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://support.microsoft.com/kb/328832 | 2018-10-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | Internet Information Services Search vendor "Microsoft" for product "Internet Information Services" | 5.0 Search vendor "Microsoft" for product "Internet Information Services" and version "5.0" | - |
Affected
| ||||||