CVE-2009-1535

CVE Database · CVE-2009-1535

CVE-2009-1535

· N/AModified

CVSS v3.1

N/A

EPSS

98.11%

Published

Jun 10, 2009

Modified

Apr 22, 2026

Public PoC / Exploit (3)

All weaponized →

Exploit-DBMicrosoft IIS 6.0 - WebDAV Remote Authentication Bypass (1)Exploit-DBMicrosoft IIS 6.0 - WebDAV Remote Authentication Bypass (2)TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.

Weaknesses (CWE)

CWE-287

Affected Products (8)

microsoft · internet_information_servicesvulnerable

microsoft · windows_xp

microsoft · internet_information_servicesvulnerable

microsoft · windows_server_2003

microsoft · windows_xp

References (20)

http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0135.html

Broken Link

http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0139.html