CVE-2002-0422 in IIS
Summary
by MITRE
IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to determine the internal IP address of the system (which may be obscured by NAT) via (1) a PROPFIND HTTP request with a blank Host header, which leaks the address in an HREF property in a 207 Multi-Status response, or (2) via the WRITE or MKCOL method, which leaks the IP in the Location server header.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/17/2025
This vulnerability affects Microsoft Internet Information Services versions 5.0 and 5.1 when configured to support WebDAV protocols, creating a significant information disclosure risk that can expose internal network addressing information. The flaw stems from improper handling of HTTP requests within the WebDAV implementation, specifically when processing PROPFIND, WRITE, and MKCOL methods. Attackers can exploit this vulnerability by sending specially crafted HTTP requests that cause the server to include internal IP addresses in response headers or body content, effectively bypassing network address translation mechanisms that typically obscure internal addressing information.
The technical mechanism behind this vulnerability involves the WebDAV protocol implementation in IIS where certain HTTP methods process requests with blank Host headers in a manner that reveals internal network addressing details. When a PROPFIND request is sent with an empty Host header, the server responds with a 207 Multi-Status HTTP status code that contains an HREF property in the response body which includes the internal IP address. Similarly, when WRITE or MKCOL methods are used with blank Host headers, the Location server header in the response contains the internal IP address, creating a direct information disclosure channel that can be exploited by remote attackers without authentication or privileged access.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with critical network topology information that can be used for further exploitation attempts. An attacker who successfully exploits this vulnerability can determine the internal IP address of the target system, which may be a private IP address that would normally be hidden behind NAT or firewall configurations. This information can be used to map internal network structures, identify potential targets for additional attacks, or craft more sophisticated attacks that leverage knowledge of internal addressing schemes. The vulnerability is particularly concerning because it can be exploited remotely without requiring any authentication credentials, making it a low-effort, high-impact information disclosure threat.
From a cybersecurity perspective, this vulnerability aligns with CWE-200, which describes information disclosure vulnerabilities where sensitive information is exposed to unauthorized entities. The attack pattern follows typical reconnaissance techniques documented in the MITRE ATT&CK framework under the information gathering phase, where adversaries collect information about target systems and networks. The vulnerability demonstrates how protocol implementations can create unintended information channels that bypass normal security controls. Organizations should implement mitigations including disabling WebDAV functionality when not required, applying Microsoft security patches, configuring proper network segmentation, and monitoring for unusual HTTP request patterns that may indicate exploitation attempts. Additionally, network administrators should consider implementing firewall rules that restrict access to WebDAV endpoints and ensure that internal IP addressing information is properly protected through network design practices such as proper NAT configuration and network address hiding mechanisms.