Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Nmap NSE net: http-iis-webdav-vuln
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020. A list of well known folders (almost 900) is used by default. Each one is checked, and if returns an authentication request (401), another attempt is tried with the malicious encoding. If that attempt returns a successful result (207), then the folder is marked as vulnerable. This script is based on the Metasploit modules/auxiliary/scanner/http/wmap_dir_webdav_unicode_bypass.rb auxiliary module. For more information on this vulnerability and script see the references. SYNTAX: http.pipeline: If set, it represents the number of HTTP requests that'll be pipelined (ie, sent in a single request). This can be set low to make debugging easier, or it can be set high to test how a server reacts (its chosen max is ignored). basefolder: The folder to start in, eg. ''/web'' will try ''/web/xxx''. folderdb: The filename of an alternate list of folders. http-max-cache-size: The maximum memory size (in bytes) of the cache. webdavfolder: Selects a single folder to use, instead of using a built-in list.
Common Vulnerabilities and Exposures (CVE)
References
- http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
- http://seclists.org/fulldisclosure/2009/May/att-134/IIS_Advisory_pdf.b
- http://www.skullsecurity.org/blog/?p=271
- http://www.kb.cert.org/vuls/id/787932
- https://docs.microsoft.com/en-us/security-updates/securityadvisories/2
- http://nmap.org/r/ms09-020