000022102 - Keon Web Sentry for Microsoft Internet Information Services (IIS) vulnerability

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022102
Applies ToKeon Web Sentry 3.x
Keon Web Sentry 4.0.x
Microsoft Windows NT 4.0
TechNote 0266
IssueKeon Web Sentry for Microsoft Internet Information Services (IIS) vulnerability
If ACL rules are set such that a user's certificate allows access to  certain web resources, but not others, the user may be able to access the forbidden web resources.
CauseThe problem occurs when a user connects to a resource for which they have access, then connects to a resource for which they do not have access. In certain situations IIS does not send the information for the second request to WebSentry for ACL checking and allows the user to access the protected resource.  Only valid certificates issued by a trusted CA will be able to access the site.
ResolutionDownload and install the following patch from RSA SecurCare Online.

For Keon Web Sentry 3.7, click on 3_7wspatch.zip to download the patch.

For Keon Web Sentry 4.0.x, click on 4_0wspatch.zip to download the patch.
Legacy Article IDa3171

Attachments

    Outcomes