The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms,
and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI,
as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder,
aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.
Vulnerability reference:
msf > use auxiliary/scanner/http/dir_webdav_unicode_bypass
msf auxiliary(dir_webdav_unicode_bypass) > show actions
...actions...
msf auxiliary(dir_webdav_unicode_bypass) > set ACTION <action-name>
msf auxiliary(dir_webdav_unicode_bypass) > show options
...show and set options...
msf auxiliary(dir_webdav_unicode_bypass) > run