New Search

WPAD WINS Server Registration Vulnerability

oval:org.mitre.oval:def:6117

The WINS server in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 does not restrict registration of the (1) "wpad" and (2) "isatap" NetBIOS names which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) features and conduct man-in-the-middle attacks by spoofing a proxy server or ISATAP route by registering one of these names in the WINS database aka "WPAD WINS Server Registration Vulnerability" a related issue to CVE-2007-1692.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows 2000
  • Microsoft Windows Server 2003
Class:
vulnerability
Reference(s):
  • CVE-2009-0094
Product(s):