Security experts are urging administrators using Microsoft's Internet Information Services version 6 to exercise extreme care following the discovery that the popular web server is vulnerable to a simple attack that exposes password-protected files and folders. The vulnerability resides in the part of IIS6 that processes …
Give them a break
It's not like unicode has been around long. Oh wait....
Oooh, has anyone tried this spliot against MS Office Live Workspaces yet? <clickety-click>
OK how the hell did something as bloody obvious as that get past even the first pass of testing.
Surely anyone testing a web server is going to check for people doing that sort of thing with URLs
Or is it April 1st again already?
Of course this only happens because everyone is using their software and therefore hackers target their stuff much more, and if FOSS had nearly the same... Oh, wait...
Measure yourself when bashing MS, please
A severity of a bug is not only related to how difficult is to exploit it (and this is a trivial one) It is also inversely proportional to how long it has been there without being exploited or discovered.
Since II6 was launched as part of W2003, that makes this bug something like six years old. So, yes, it probably should not have passed testing. But no, it was not that easy to discover or else it would have been found on the wild already.
El Reg, next time you could have saved me from browsing the IIS site just to know this fact. I understand that until you offshore the actual journalism so that you can focus on your core competencies (more playmobil reconstructions, please) this is something that probably is too much to ask from your limited resources. But I prefer not to browse sites that offer me an upgraded experience if I install SilverLight when using Firefox under Ubuntu.
More to the point, how did it get past testing at MS _and_ then all around the world for something like six years? Methinks there is something else going on here as well.
isn't that a bit like "slightly dead" or something?
To the AC Microsoft defender
It's oh so easy to assert it has not been used in the wild, but hey of course the only people to discover and use such fun little diversions are prone to tell the world. Well, no, they don't.
That aside, now that's it's "widely known" let's see how quickly Microsoft clan close the floodgates.
It probably exists because Ballmer thinks all your files are belong to him.
Aren't you all missing the point?
The reason it's not come to light before now is that no'one uses WebDAV on their sites, unless they're so microsoft-blinkered that they wouldn't consider anything else. It's hideous.
So find a site which runs WebDAV and then exploit this vulnerability to download a password protected file by name which exists in a directory you already know the name of.
Come back and post when you have a real-world example of a site where you can exploit this. We'll be waiting.
That is, the floodgates were closed long ago: nobody has this feature enabled. There seems to be some disagreement at present about if it affects IIS5. Windows 2000 servers with IIS5 may still have Webdav running. If that is the case, those running their own web page in-house on Windows 2000 Server should turn off WebDav. Any other remnants who have deliberately exposed webdav to the public internet (a tiny and odd minority) can add urlscan (technet.microsoft.com/en-us/security/cc242650.aspx) to sanitise webdav requests.
Very few people expose their file systems to WebDav. Only a tiny tiny minority of those use WebDav to expose their file system to the public internet, and are potentially affected by this.
If it requires doing things not-in-the-default-way it's a fair bet the vast majority of Windows servers are set to their defaults.