back to article Microsoft IIS6 bug exposes sensitive files sans password

Security experts are urging administrators using Microsoft's Internet Information Services version 6 to exercise extreme care following the discovery that the popular web server is vulnerable to a simple attack that exposes password-protected files and folders. The vulnerability resides in the part of IIS6 that processes …


This topic is closed for new posts.
  1. Craig McLean
    Gates Horns

    Give them a break

    It's not like unicode has been around long. Oh wait....

    Oooh, has anyone tried this spliot against MS Office Live Workspaces yet? <clickety-click>

  2. Anonymous Coward


    OK how the hell did something as bloody obvious as that get past even the first pass of testing.

    Surely anyone testing a web server is going to check for people doing that sort of thing with URLs

    Or is it April 1st again already?

  3. J

    Of course...

    Of course this only happens because everyone is using their software and therefore hackers target their stuff much more, and if FOSS had nearly the same... Oh, wait...

  4. Anonymous Coward
    Anonymous Coward

    Measure yourself when bashing MS, please

    A severity of a bug is not only related to how difficult is to exploit it (and this is a trivial one) It is also inversely proportional to how long it has been there without being exploited or discovered.

    Since II6 was launched as part of W2003, that makes this bug something like six years old. So, yes, it probably should not have passed testing. But no, it was not that easy to discover or else it would have been found on the wild already.

    El Reg, next time you could have saved me from browsing the IIS site just to know this fact. I understand that until you offshore the actual journalism so that you can focus on your core competencies (more playmobil reconstructions, please) this is something that probably is too much to ask from your limited resources. But I prefer not to browse sites that offer me an upgraded experience if I install SilverLight when using Firefox under Ubuntu.

  5. Anonymous Coward
    Anonymous Coward

    @AC 18:10

    More to the point, how did it get past testing at MS _and_ then all around the world for something like six years? Methinks there is something else going on here as well.

  6. matt

    "Moderately Critical"

    isn't that a bit like "slightly dead" or something?

  7. Quirkafleeg

    Not Unicode


  8. Andrew Williams
    Jobs Horns

    To the AC Microsoft defender

    It's oh so easy to assert it has not been used in the wild, but hey of course the only people to discover and use such fun little diversions are prone to tell the world. Well, no, they don't.

    That aside, now that's it's "widely known" let's see how quickly Microsoft clan close the floodgates.

    It probably exists because Ballmer thinks all your files are belong to him.

  9. Anonymous Coward


    Aren't you all missing the point?

    The reason it's not come to light before now is that no'one uses WebDAV on their sites, unless they're so microsoft-blinkered that they wouldn't consider anything else. It's hideous.

    So find a site which runs WebDAV and then exploit this vulnerability to download a password protected file by name which exists in a directory you already know the name of.

    Come back and post when you have a real-world example of a site where you can exploit this. We'll be waiting.

  10. david Bronze badge

    allready fixed

    That is, the floodgates were closed long ago: nobody has this feature enabled. There seems to be some disagreement at present about if it affects IIS5. Windows 2000 servers with IIS5 may still have Webdav running. If that is the case, those running their own web page in-house on Windows 2000 Server should turn off WebDav. Any other remnants who have deliberately exposed webdav to the public internet (a tiny and odd minority) can add urlscan ( to sanitise webdav requests.

    Very few people expose their file systems to WebDav. Only a tiny tiny minority of those use WebDav to expose their file system to the public internet, and are potentially affected by this.

  11. Tom Chiverton


    If it requires doing things not-in-the-default-way it's a fair bet the vast majority of Windows servers are set to their defaults.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019