Security Hero Rotating Header Image

IIS6.0 WebDav Remote Auth Bypass, (Fri, May 15th)

IIS6.0 WebDav Remote Auth Bypass, (Fri, May 15th)

If you’re in the security business long enough, this one will sound extremely familiar: Apparently, adding certain Unicode characters to an URL makes it possible to bypass authentication in Microsoft IIS6 with WebDav and access or even upload files in folders which are supposed to be password protected.
The description was posted to Full Disclosure earlier, and there’s a brief comment/analysis on Thierry Zoller’s blog.
Yup, we hate to spring such surprises on you on a Friday evening. If you have WebDav active and accessible from the Internet on any of your IIS6, it is probably a wise move to hedge and turn WebDav off over the weekend, until more details on this problem become available.

URL: http://isc.sans.org/diary.php?storyid=6397&rss

Leave a Reply

Powered by WP Hashcash

Spam Protection by WP-SpamFree

Bad Behavior has blocked 510 access attempts in the last 7 days.