The 2009 Pwnie Nominee For Best Server-Side Bug

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass (CVE-2009-1535)

Credit: Nikolaos Rangos / Kingcope

Amazingly undiscovered until just recently, the same unicode escape sequence that could be used in the IIS Unicode Directory Traversal vulnerability of MS00-057, can also be used to bypass authentication on IIS password-protected directories through WebDAV HTTP requests. This vulnerability was released to Full-Disclosure by Kingcope, a previous Pwnie Award winner.

 (CVE-2009-1535)