[OOB] CAN-2000-0884 - IIS Unicode
The IIS Unicode problem (MS:MS00-078) has received a lot of attention
lately. It has been assigned CAN-2000-0884.
This out-of-band candidate is being posted to the Editorial Board list
so that candidate numbers can be made available as soon as possible
for the most serious security issues. It will also be posted on the
CVE web site. As a reminder, Board members can request out-of-band
candidates for recently publicized security issues that have a broad
This out-of-band candidate is *not* being proposed for votes at this
time. It will be included in the next round of RECENT-XX clusters.
Reference: BUGTRAQ:20001017 IIS %c1%1c remote command execution
IIS 4.0 and 5.0 allows remote attackers to read documents outside of
the web root, and possibly execute arbitrary commands, via malformed
URLs that contain UNICODE encoded characters, aka the "Web Server
Folder Traversal" vulnerability.