Tuesday, May 19, 2009

New flaw found in IIS 6.0 - 18 May 09

Microsoft Internet Information Services (IIS) version 6.0 contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information.

The vulnerability is due to improper processing of Unicode characters in HTTP requests. An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious HTTP request to the system. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system.

Exploit code is available.

Microsoft has not confirmed this vulnerability and updates are not available.

Courtesy: Cisco


A new flaw has been found in IIS 6.0 having WebDav. Cisco has reported the details of this flaw and Microsoft team is investigating around it. At present there is no patch available and it is recommended to disable WebDav till the patch is available.

The vulnerability is due to improper processing of Unicode characters in HTTP requests. When IIS is configured with WebDav, it improperly translates Unicode %c0%af (/) characters. Microsoft IIS may process an HTTP request that contains the character before requiring authentication to a protected resource. An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious HTTP request to the targeted server. An exploit could allow the attacker to list directory contents or download protected files that are hosted by IIS without providing authentication credentials.

Courtesy: Cisco


Microsoft may soon release a patch to cover-up this vulnerability.

0 comments:

Post a Comment