Multiple Vulnerabilities in eEye SecureIIS

ReportedMay 18, 2001, by Alliance Security Labs.

VERSIONAFFECTED

DESCRIPTION
Multiplevulnerabilities exist in eEye’s SecureIIS 1.0.2. The first vulnerabilityinvolves the keyword-checking feature—SecureIIS fails to decode escapedcharacters in a request's query, which can lead to information disclosure. Thesecond involves a directory traversal vulnerability that lets an attacker breakout of the Web root directory. The third vulnerability involves a buffer overruncondition caused by the way that SecureIIS processes HTTP header andlarge-character requests.

VENDORRESPONSE

MarcMaiffret of eEye issued this statement:

"The'bugs' found in SecureIIS were mostly bugs that would affect third-party Webscripts and not IIS-specific vulnerabilities. SecureIIS was and is stillprotecting customers from IIS vulnerabilities, and the bugs that were found inno way could be used to bypass SecureIIS in its protection from IISvulnerabilities, because SecureIIS has a multi-layer security system so even ifan attacker gets past the first layer, they will be denied at the second layer,etc.… However, since there was the potential for the bugs to cause someproblems we took the issue seriously and released an updated patched version ofSecureIIS the same day that the bugs were discovered."

Thevendor, eEye Digital Security, recommends that users upgrade to version1.0.5, which addresses these vulnerabilities.

CREDIT
Discoveredby Alliance Security Labs.