IIS6.0 WebDav Remote Auth Bypass
Last Updated: 2009-05-19 03:57:00 UTC
by Daniel Wesemann (Version: 2)
Quick update on this: There are now two Microsoft blog posts with details:
The MSRC blog at http://blogs.technet.com/msrc and the SRD blog http://blogs.technet.com/srd (the later has more details).
And don't forget about the new KB article: http://www.microsoft.com/technet/security/advisory/971492.mspx
Quick summary: IIS 5.0, 5.1 and 6.0 are affected. The main risk is that unauthorized access to files is possible if WebDAV is used for access control. Writing files appears to be only possible in very specific non-default configurations. Easiest solution: Don't use WebDav. If you got it enabled, check if you actually need it and turn it off (always good to turn off unecessary components).
If you're in the security business long enough, this one will sound extremely familiar: Apparently, adding certain Unicode characters to an URL makes it possible to bypass authentication in Microsoft IIS6 with WebDav and access or even upload files in folders which are supposed to be password protected.
The description was posted to Full Disclosure earlier, and there's a brief comment/analysis on Thierry Zoller's blog.
Yup, we hate to spring such surprises on you on a Friday evening. If you have WebDav active and accessible from the Internet on any of your IIS6, it is probably a wise move to hedge and turn WebDav off over the weekend, until more details on this problem become available.