Public exploits available
On this page
This Vulnerability allows remote attackers to bypass access restrictions on vulnerable installations of internet infromation server 6.0. The specific flaw exists within the WebDav functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data. Exploitation of the issue can lead to authentication bypass and listing, downloading and uploading of files into a password protected WebDAV folder.
An attacker could exploit the vulnerability by creating a specially crafted HTTP request to a Web site that requires authentication, and thereby gain unauthorized access to protected resources.
Technical details (analysis)
The vulnerability occurs because the WebDAV extension does not properly decode the requested URL. This causes WebDAV to apply an incorrect configuration when handling the request. If the applied configuration allows anonymous access, a malicious request can bypass authentication. Note that IIS would still process such a request in the security context of the configured anonymous user account. Therefore, this vulnerability cannot be used to bypass NTFS ACLs. The restrictions imposed on the anonymous user account by file system ACLs will still be enforced
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1
Microsoft Internet Information Services 6.0
Microsoft Internet Information Services 7.0
Release Date: 2009-05-18T00:00:00
Known false positives
No known false positives at this time
Disable WebDav by using IIS Lockdown Tool 2.1.
Change the file system ACLs to deny access to the anonymous user account.
Microsoft UrlScan Filter v3.1 can be used to disable WebDav.