IIS 6 attack could let hackers snoop on servers

[dhilipkumar]

IIS 6 attack could let hackers snoop on servers

Security vendors are warning users of Microsoft Corp.'s Internet Information Services 6 Web server software that a new online attack could put their data at risk.

sending a specially crafted HTTP request to the server he was able to view and upload files on the machine.

The attack takes advantage of a bug in the way that Microsoft's software processes Unicode tokens,
even with WebDAV enabled, Exchange Server running on IIS 6 and SharePoint Server were not affected by the flaw.

[dhilipkumar]

Microsoft confirms serious IIS bug,

Microsoft also confirmed that the older IIS 5 and IIS 5.1 software is vulnerable....

The newer IIS 7, which debuted alongside Windows Vista and is included in Windows Server 2008, is not affected,

a set of extensions to HTTP used to share documents over the Web. WebDAV is also used in Microsoft Exchange 2003 to access inboxes through a browser.....

they have found is that the IIS installer applies an NTFS access control entry to explicitly deny write access to the anonymous account (IUSR_[MachineName]) in wwwroot and subdirectories