Microsoft IIS Flaw Exposes Sensitive Files
Security experts are urging administrators using Microsoft’s
Internet Information Services version 6 to take extreme caution
following the discovery that the web server is vulnerable to an attack
that exposes password-protected files and folders.
The vulnerability lies in the part of IIS6 that processes
commands based on the WebDAV protocol. By adding several unicode
characters to a web address, attackers can access sensitive files that
are supposed to be available only with a system password. According to
security researcher Nikolaos Rangos the flaw can also be used to upload
malicious files to protected parts of the server.
“The web server fails to properly handle unicode tokens when
parsing the URI and sending back data,” Rangos’ advisory warns. The
advisory, published last Friday, goes on to demonstrate how several GET
requests can give outsiders easy access to vulnerable systems.
The U.S. CERT reports that it is already seeing “active exploitation” of the flaw. U.S. CERT is advising that WebDAV be temporarily disabled. The vulnerabilities are present only in version 6 of IIS, and WebDAV is not enabled by default.
Members of Microsoft’s security team are looking into the report, a spokesperson said Monday morning.
The attack can also be used to list, access, or upload files in
a password-protected WebDAV folder, according to Rangos’s advisory.
Secunia rates the flaw “moderately critical,” the third-highest rating
on its five-tier severity scale.
Also see – http://blogs.technet.com/msrc/archive/2009/05/18/microsoft-security-advisory-971492.aspx and http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx