Info

Disclosure

Jul 14, 2009

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

ISA Server 2006 contains a flaw that may allow a malicious user to bypass authentication. The issue is triggered when the server receives a request from a user agent that indicates a fall-back to HTTP-Basic authentication and ISA does not properly authenticate the request. It is possible that the flaw may allow unauthenticated access resulting in a loss of confidentiality, integrity, and/or availability.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Microsoft has released a patch to address this vulnerability.

Products

Microsoft Corporation	ISA Server	2006
		2006 Supportability Update
		2006 SP1

References

CVE ID: 2009-1135 (see also: NVD)
Secunia Advisory ID: 35784
Microsoft Knowledge Base Article: 970811 970953 971143
News Article: http://blogs.technet.com/isablog/archive/2009/07/13/ms09-031-isa-server-2006-fba-and-radius-otp-bulletin.aspx
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218500470
http://www.theregister.co.uk/2009/07/09/microsoft_july_patch_tuesday_advance/
Vendor URL: http://www.microsoft.com/en-us/default.aspx
Microsoft Security Bulletin: MS09-031

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/55836

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

ISA Server

References

Credit