the Web server Microsoft IIS 6 vulnrable of the attacks

June 10, 2009

Scurit – a researcher in scurit has dmontr the possibilit daccder give protges on a Web server IIS version 6 grce a fault in WebDAV. Dautres applications of Microsoft could tre vulnrables.

A researcher in scurit, Nikolaos Rangos, comes from dvoiler on Full Disclosure a vulnrabilit in the technology of Web server of Microsoft, IIS 6. In a document publi on the site, the expert dmontre the possibilit of S `to free from any authentification for raliser of the actions against a waiter IIS.
# the attacks reveal by Nikolaos Rangos benefit D `a particularit from WebDAV (Web-based Distributed Authoring and Versioning), which in IIS makes it possible to divide documents on Internet. Thus, grce of the requtes spcialement forging mills including/understanding of the caractres Unicode, the researcher could accder of however give accs protg.
# version 5 and 7 D `IIS are not vulnrables
# the fault of IIS is at the level of the interprtation by WebDAV of the caractres Unicode. In addition to the reading of files and the accs of the rpertoires ncessitant an authentification, Nikolaos Rangos has dmontr the possibilit tlcharger contents on a waiter, of which potentially malevolent programs.
# Another expert in scurit, S `supporting on the dcouverte Nikolaos Rangos, thus could excuter of the applications not – authorized on a waiter IIS. This action would be according to him ralisable only on IIS 6, and not on versions 5 and 7 of the software. But D `other applications intgrant WebDAV could S `avrer vulnrables.
# Inform of the vulnrabilit, has dclar N `to have for the moment report any attack. The autorit amricaine of scurit of the computer infrastructures, the US-CERT, fact it a whole. On its site, this service dclare qu `a code allowing D `to exploit this vulnrabilit is dj available and that attacks have T note.
# Microsoft prpare a bulletin D `alarm destination of its users in order to inform them of the solutions allowing them to prmunir itself against an exploitation of the vulnrabilit. Cisco has also ragi while publishing informing D `a risk D `intrusion.

Possibly related posts: (automatically generated)

Entry Filed under: Internet. Tags: , , , , , , , , .

Archives

Other

Categories

 

June 2009
M T W T F S S
« May   Jul »
1234567
891011121314
15161718192021
22232425262728
2930  

Tags

.net 1.1 .net 2.0 .net 3.0 ADO.NET all-net-news alltechnews bsod c# c-sharp controls DataSet datasource dba dba-tool entity-framework Framework internet-land internet-life java-script jsf mozilla-foundation msbuild online-tools Page Layout php-development php-programming php5 plug-ins query script-land sql-add-on sql-backup-and-restore sql-data-storage sql-datetime sql-query sql-tips-and-tricks sqlauthority-news status-updates t-sql tech-land tech-review Visual Studio 2008 Web Browser Windows Server xquery