<html><body>
<p>Hey Steve, <br>
what about CVE-2009-1122? Is it a duplicate of CVE-2009-1535 also?<br>
<br>
Sandra Hill<br>
Security Analyst, X-Force Database Team<br>
Direct: +1 (404) 236 3297<br>
Mail: sanhill@us.ibm.com<br>
Web: www.ibm.com / www.iss.net <br>
<br>
<br>
<br>
<br>
<img width="16" height="16" src="cid:1__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt="Inactive hide details for &quot;Steven M. Christey&quot; &lt;coley@linus.mitre.org&gt;">&quot;Steven M. Christey&quot; &lt;coley@linus.mitre.org&gt;<br>
<br>
<br>

<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td style="background-image:url(cid:2__=08BBFF42DFF376748f9e8a93df938@us.ibm.com); background-repeat: no-repeat; " width="40%">
<ul>
<ul>
<ul>
<ul><b><font size="2">&quot;Steven M. Christey&quot; &lt;coley@linus.mitre.org&gt;</font></b><font size="2"> </font><br>
<font size="2">Sent by: vim-bounces@attrition.org</font>
<p><font size="2">06/10/2009 01:36 PM</font>
<table border="1">
<tr valign="top"><td width="168" bgcolor="#FFFFFF"><div align="center"><font size="2">Please respond to<br>
Vulnerability Information Managers &lt;vim@attrition.org&gt;</font></div></td></tr>
</table>
</ul>
</ul>
</ul>
</ul>
</td><td width="60%">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">To</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">Deapesh Misra &lt;deapesh@gmail.com&gt;</font></td></tr>

<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">cc</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">vim@attrition.org</font></td></tr>

<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">Subject</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">Re: [VIM] IIS WebDav Vulnerability CVE ID</font></td></tr>
</table>

<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="58"><img width="1" height="1" src="cid:3__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt=""></td><td width="336"><img width="1" height="1" src="cid:3__=08BBFF42DFF376748f9e8a93df938@us.ibm.com" border="0" alt=""></td></tr>
</table>
</td></tr>
</table>
<br>
<tt><br>
Hi,<br>
<br>
Just to confirm, these are duplicate IDs - they were assigned on the same<br>
day, independently, by both MITRE and Microsoft.<br>
<br>
Please use CVE-2009-1535; we're rejecting CVE-2009-1676. &nbsp;See below.<br>
<br>
- Steve<br>
<br>
<br>
======================================================<br>
Name: CVE-2009-1535<br>
Status: Candidate<br>
URL: </tt><tt><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535</a></tt><tt><br>
Reference: FULLDISC:20090515 IIS6 + webdav and unicode rides again in 2009<br>
Reference: URL:</tt><tt><a href="http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0135.html">http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0135.html</a></tt><tt><br>
Reference: FULLDISC:20090515 Re: IIS6 + webdav and unicode rides again in 2009<br>
Reference: URL:</tt><tt><a href="http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0144.html">http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0144.html</a></tt><tt><br>
Reference: FULLDISC:20090515 Re: IIS6 + webdav and unicode rides again in 2009<br>
Reference: URL:</tt><tt><a href="http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0139.html">http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0139.html</a></tt><tt><br>
Reference: MISC:</tt><tt><a href="http://archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdf">http://archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdf</a></tt><tt><br>
Reference: MISC:</tt><tt><a href="http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html">http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html</a></tt><tt><br>
Reference: MISC:</tt><tt><a href="http://isc.sans.org/diary.html?n&storyid=6397">http://isc.sans.org/diary.html?n&amp;storyid=6397</a></tt><tt><br>
Reference: MISC:</tt><tt><a href="http://view.samurajdata.se/psview.php?id=023287d6&page=1">http://view.samurajdata.se/psview.php?id=023287d6&amp;page=1</a></tt><tt><br>
<br>
The WebDAV extension in Microsoft Internet Information Services (IIS)<br>
5.1 and 6.0 allows remote attackers to bypass URI-based protection<br>
mechanisms, and list folders or read, create, or modify files, via a<br>
%c0%af (Unicode / character) at an arbitrary position in the URI, as<br>
demonstrated by inserting %c0%af into a &quot;/protected/&quot; initial pathname<br>
component to bypass the password protection on the protected\ folder,<br>
aka &quot;IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability.&quot;<br>
<br>
<br>
======================================================<br>
Name: CVE-2009-1676<br>
Status: Candidate<br>
URL: </tt><tt><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1676">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1676</a></tt><tt><br>
<br>
** REJECT **<br>
<br>
DO NOT USE THIS CANDIDATE NUMBER. &nbsp;ConsultIDs: CVE-2009-1535. &nbsp;Reason:<br>
This candidate is a duplicate of CVE-2009-1535. &nbsp;Notes: All CVE users<br>
should reference CVE-2009-1535 instead of this candidate. &nbsp;All<br>
references and descriptions in this candidate have been removed to<br>
prevent accidental usage.<br>
<br>
<br>
</tt><br>
</body></html>