Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: IIS6.0 WebDav Remote Auth Bypass - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IIS6.0 WebDav Remote Auth Bypass

If you're in the security business long enough, this one will sound extremely familiar:  Apparently, adding certain Unicode characters to an URL makes it possible to bypass authentication in Microsoft IIS6 with WebDav and access or even upload files in folders which are supposed to be password protected.

The description was posted to Full Disclosure earlier, and there's a brief comment/analysis on Thierry Zoller's blog.

Yup, we hate to spring such surprises on you on a Friday evening.  If you have WebDav active and accessible from the Internet on any of your IIS6, it is probably a wise move to hedge and turn WebDav off over the weekend, until more details on this problem become available.

 

Daniel

367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!