Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Downplays IIS Bug Threat

Posted by Soulskill on from the this-is-not-the-bug-you're-looking-for dept.

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

1 of 114 comments (clear)

  1. Re:WebDAV used much? by 93+Escort+Wagon · · Score: 3, Insightful

    Since no one in their right mind will have WebDav and NTLM exposed to a public site, then the "hackers" can only come from within in the vast majority of scenarios.

    You're making the mistake of assuming that most IIS admins know what they're doing. I'm sure most of them think they know what they're doing, but I'm betting this flaw will get exploited from without much more often than you think it will.

    --
    #DeleteChrome