漏洞ID: JVN#67060882 影响范围: sISAPILocation Ver1.0.2.1 and earlier 漏洞描述: sISAPILocation, an ISAPI filter for IIS, contains a vulnerability that allows the HTTP header rewrite function to be bypassed. 影响: Configuration settings such as character encoding and secure flag for cookies can be bypassed. 解决方法: Update to the latest version according to the developer's instructions. 临时方案: Disable the Keep-Alive feature on IIS until the update is completed. 厂商信息: Vendor is Tomoki Sanaki, and further information can be found at sISAPILocation (in Japanese). 漏洞分析: - 访问要求: Routed - can be attacked over the Internet using packets (Severity: High) - 认证要求: None - anonymous or no authentication (Severity: High) - 用户交互要求: None - the vulnerability can be exploited without an honest user taking any action (Severity: High) - 利用复杂度: Low-Medium - some expertise and/or luck required (Severity: Medium-High) 其他信息: Linked to JPCERT Alert, Reports, CERT Advisory, CERT Advisory, TRnotes, CVE, JVN iPedal, and CVE identifier JVNDB-2008-000076.