[Japanese]

JVNDB-2008-000076

sISAPILocation vulnerability bypasses HTTP header rewrite function

Overview

sISAPILocation, an ISAPI (Internet Server Application Program Interface) filter, contains a vulnerability that allows the HTTP header rewrite function to be bypassed.

sISAPILocation, developed by an individual developer, is an ISAPI filter for IIS (Internet Information Services). sISAPILocation contains a vulnerability that allows the HTTP header rewrite function to be bypassed.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Tomoki Sanaki
  • sISAPILocation Ver1.0.2.1 and earlier

Impact

When sISAPILocation is used to configure settings, such as to specify character encoding or to set the secure flag for cookies, such settings could be bypassed.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.

[Workarounds]
Do not use the Keep-Alive feature on IIS until update is completed.
Vendor Information

Tomoki Sanaki
  • sanaki's Freesoft : free100 (Japanese)
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-6298
References

  1. JVN : JVN#67060882
  2. National Vulnerability Database (NVD) : CVE-2008-6298
  3. Secunia Advisory : SA32581
  4. SecurityFocus : 32247
  5. VUPEN Security : VUPEN/ADV-2008-3105
  6. JVN iPedia (Japanese) : JVNDB-2008-000076
Revision History

  • [2008/11/10]
      Web page published

Date Public2008/11/06
Date First Published2008/11/10
Date Last Updated2008/11/10