[Japanese]

JVNDB-2008-000076

sISAPILocation vulnerability bypasses HTTP header rewrite function

Overview

sISAPILocation, an ISAPI (Internet Server Application Program Interface) filter, contains a vulnerability that allows the HTTP header rewrite function to be bypassed.

sISAPILocation, developed by an individual developer, is an ISAPI filter for IIS (Internet Information Services). sISAPILocation contains a vulnerability that allows the HTTP header rewrite function to be bypassed.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Tomoki Sanaki
  • sISAPILocation Ver1.0.2.1 and earlier
Impact

When sISAPILocation is used to configure settings, such as to specify character encoding or to set the secure flag for cookies, such settings could be bypassed.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.

[Workarounds]
Do not use the Keep-Alive feature on IIS until update is completed.
Vendor Information

Tomoki Sanaki
  • sanaki's Freesoft : free100 (Japanese)
References

  1. JVN : JVN#67060882
  2. National Vulnerability Database (NVD) : CVE-2008-6298
  3. Common Vulnerabilities and Exposures (CVE) : CVE-2008-6298
  4. Secunia Advisory : SA32581
  5. SecurityFocus : 32247
  6. VUPEN Security : VUPEN/ADV-2008-3105
  7. Common Weakness Enumeration (CWE) : Insufficient Input Validation (CWE-20) [IPA Evaluation]
  8. JVN iPedia (Japanese) : JVNDB-2008-000076
Revision History

[2008/11/10]
  Web page published

Date Public2008/11/06
Date First Published2008/11/10
Date Last Updated2008/11/10