Security Hero Rotating Header Image

IIS6.0 WebDav Remote Auth Bypass, (Fri, May 15th)

IIS6.0 WebDav Remote Auth Bypass, (Fri, May 15th)

If you’re in the security business long enough, this one will sound extremely familiar: Apparently, adding certain Unicode characters to an URL makes it possible to bypass authentication in Microsoft IIS6 with WebDav and access or even upload files in folders which are supposed to be password protected.
The description was posted to Full Disclosure earlier, and there’s a brief comment/analysis on Thierry Zoller’s blog.
Yup, we hate to spring such surprises on you on a Friday evening. If you have WebDav active and accessible from the Internet on any of your IIS6, it is probably a wise move to hedge and turn WebDav off over the weekend, until more details on this problem become available.


Leave a Reply

Your email address will not be published. Required fields are marked *