IIS6.0 WebDav Remote Auth Bypass

If you're in the security business long enough, this one will sound extremely familiar:  Apparently, adding certain Unicode characters to an URL makes it possible to bypass authentication in Microsoft IIS6 with WebDav and access or even upload files in folders which are supposed to be password protected.

The description was posted to Full Disclosure earlier, and there's a brief comment/analysis on Thierry Zoller's blog.

Yup, we hate to spring such surprises on you on a Friday evening.  If you have WebDav active and accessible from the Internet on any of your IIS6, it is probably a wise move to hedge and turn WebDav off over the weekend, until more details on this problem become available.



385 Posts
ISC Handler
May 16th 2009

Sign Up for Free or Log In to start participating in the conversation!