Microsoft IIS6 bug exposes sensitive files sans password Security experts are urging administrators using Microsoft's Internet Information Services version 6 to exercise extreme care following the discovery that the popular web server is vulnerable to a simple attack that exposes password-protected files and folders. The vulnerability resides in the part of IIS6 that processes …
A severity of a bug is not only related to how difficult is to exploit it (and this is a trivial one) It is also inversely proportional to how long it has been there without being exploited or discovered.
Since II6 was launched as part of W2003, that makes this bug something like six years old. So, yes, it probably should not have passed testing. But no, it was not that easy to discover or else it would have been found on the wild already.
El Reg, next time you could have saved me from browsing the IIS site just to know this fact. I understand that until you offshore the actual journalism so that you can focus on your core competencies (more playmobil reconstructions, please) this is something that probably is too much to ask from your limited resources. But I prefer not to browse sites that offer me an upgraded experience if I install SilverLight when using Firefox under Ubuntu.
It's oh so easy to assert it has not been used in the wild, but hey of course the only people to discover and use such fun little diversions are prone to tell the world. Well, no, they don't.
That aside, now that's it's "widely known" let's see how quickly Microsoft clan close the floodgates.
It probably exists because Ballmer thinks all your files are belong to him.
Aren't you all missing the point?
The reason it's not come to light before now is that no'one uses WebDAV on their sites, unless they're so microsoft-blinkered that they wouldn't consider anything else. It's hideous.
So find a site which runs WebDAV and then exploit this vulnerability to download a password protected file by name which exists in a directory you already know the name of.
Come back and post when you have a real-world example of a site where you can exploit this. We'll be waiting.
That is, the floodgates were closed long ago: nobody has this feature enabled. There seems to be some disagreement at present about if it affects IIS5. Windows 2000 servers with IIS5 may still have Webdav running. If that is the case, those running their own web page in-house on Windows 2000 Server should turn off WebDav. Any other remnants who have deliberately exposed webdav to the public internet (a tiny and odd minority) can add urlscan (technet.microsoft.com/en-us/security/cc242650.aspx) to sanitise webdav requests.
Very few people expose their file systems to WebDav. Only a tiny tiny minority of those use WebDav to expose their file system to the public internet, and are potentially affected by this.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
