VULHUB ™

Microsoft IIS contains a flaw in the handling of FTP domain authentication. A user attempting to authenticate using a valid login name appended with specially chosen characters, will not be required to specify the domain which the account belongs. The FTP service will instead search the domain and all trusted domains for the user account. Once the account is located, the user will have to complete the authentication process. At this point brute force attacks can be used in an attempt to gain access to the domain.

Microsoft IIS contains a flaw in the handling of FTP domain authentication. A user attempting to authenticate using a valid login name appended with specially chosen characters, will not be required to specify the domain which the account belongs. The FTP service will instead search the domain and all trusted domains for the user account. Once the account is located, the user will have to complete the authentication process. At this point brute force attacks can be used in an attempt to gain access to the domain.