[OOB] CAN-2000-0884 - IIS Unicode

["Steven M. Christey" <coley@linus.mitre.org>]

The IIS Unicode problem (MS:MS00-078) has received a lot of attention lately. It has been assigned CAN-2000-0884. This out-of-band candidate is being posted to the Editorial Board list so that candidate numbers can be made available as soon as possible for the most serious security issues. It will also be posted on the CVE web site. As a reminder, Board members can request out-of-band candidates for recently publicized security issues that have a broad effect. This out-of-band candidate is *not* being proposed for votes at this time. It will be included in the next round of RECENT-XX clusters. - Steve Candidate: CAN-2000-0884 URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0884Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20001019 Category: SF Reference: BUGTRAQ:20001017 IIS %c1%1c remote command execution Reference: MS:MS00-078 Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-078.aspIIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.