Microsoft investigates security hole in IIS

Microsoft late yesterday issued a security advisory (971492) about a publicly reported vulnerability in IIS versions 5, 5.1 and 6.0 that could allow an attacker to elevate privileges. The vulnerability is an IIS authentication bypass but it currently requires a narrow configuration, the company says. Microsoft is currently investigating the vulnerability to see if other configurations could be successfully targeted.

The hole can currently only work if your web server meets all of the following criteria:

  • IF an IIS 5, 5.1, or 6.0 webserver is running with WebDAV enabled;
  • AND the IIS server is using IIS permissions to restrict a subfolder of content to authenticated users;
  • AND file system access is granted for the restricted content to the IUSR_[MachineName] account;
  • AND a parent folder of the private subfolder allows anonymous access;

    THEN an anonymous remote user may be able to leverage this vulnerability to access files that normally would only be served to authenticated webserver users.

Microsoft says it has not seen exploits of the vulnerability in the wild. It has not issued a patch, but has spelled out a number of workarounds, most of which involve modifying one or more of the configuration settings in the above list.

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

May Patch Tuesday: One critical patch for PowerPointCIOs seem to love VMware over Hyper-VUsing offshore certified Microsoft partners? Beware of security holesMeet me in … a Meeting Workspace: Tips and Best PracticesMicrosoft OpsMgr R2 release candidate available, will ship end of June12 killer freebie SharePoint add-onsCloud computing is cheaper, greener but not yet enterprise ready .Net Services: Microsoft's key to cloud security and Java interoperabilityWindows 7 and WS2008 R2 ship date: holiday '09 Follow Microsoft Subnet on Twitter
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)