Security Hole In Iis 6.0

[Peaches]

16 May 2009, 15:28

Security hole in IIS 6.0

"A WebDAV vulnerability in Microsoft's Internet Information Server 6.0 (IIS) allows attackers to access password-protected directories and download and even upload arbitrary files. According to a report, the access isn't limited to WebDAV folders: the vulnerability affects all the directories controlled by the web server. It is caused by a flaw in the processing of unicode characters.

Nicolaos Rangos, who discovered the hole, reports that a request with a header like the following example, prompts the IIS to return a protected file from a regular folder without any authentication:

GET /..%c0%af/protected/protected.zip HTTP/1.1

Translate: f

Connection: close

Host: servername

In this example, the slash "/" is encoded as the %c0%af unicode character; the security function apparently overlooks this and consequently grants access to /protected/protected.zip. The Translate: f option activates the WebDAV function for regular directories. It is, however, not possible to download ASP scripts this way, unless the server has explicitly been enabled to return source code."

details at Heise Security - http://www.h-online.com/security/Security-...0--/news/113303

>>>>>>>>>>>>>>>>>>