HTTP: Malformed URL Request

This protocol anomaly triggers when it detects a malformed URL, such as a Unicode encoded field with non-hex digits or an encoded NULL byte.

Extended Description

Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

Affected Products

Microsoft iis

References

BugTraq: 1806 68195

CVE: CVE-2014-4158

URL: http://www.sans.org/top20/ http://www.microsoft.com/technet/security/bulletin/ms00-078.asp http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html

Short Name

HTTP:REQERR:REQ-MALFORMED-URL

Severity

Minor

Recommended

False

Recommended Action

None

HTTP: Malformed URL Request

Extended Description

Affected Products

References

Found a potential security threat?