PT-2009-4916 · Microsoft · Iis+3
Published
2009-12-09
·
Updated
2019-02-26
·
CVE-2009-2509
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Active Directory Federation Services (ADFS) in Microsoft Windows Server 2003 SP2
Active Directory Federation Services (ADFS) in Microsoft Windows Server 2008 Gold and SP2
Description
The issue is related to the improper validation of headers in HTTP requests by Active Directory Federation Services (ADFS) in Microsoft Windows Server, which allows remote authenticated users to execute arbitrary code via a crafted request to an IIS web server.
Recommendations
For Microsoft Windows Server 2003 SP2, update to a version that properly validates HTTP request headers.
For Microsoft Windows Server 2008 Gold and SP2, update to a version that properly validates HTTP request headers.
As a temporary workaround, consider restricting access to the IIS web server to minimize the risk of exploitation.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Active Directory Federation Services
Iis
Windows Server 2003
Windows Server 2008