Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iis 5.0 Authentication Bypass Exploit


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:06:06 PM

Posted 03 June 2007 - 01:20 PM

A new exploit affecting version 5 only has surfaced. The working exploit discloses sensitive information but doesn't execute malware code so far.

IIS 5.0 authentication bypass exploit -- CVE-2007-2815
http://isc.sans.org/diary.html?storyid=2915
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2815

QUOTE: The exploit was discovered on December 15, 2006, and made public since the end of May 2007. The design of IIS 5.x allows to bypass basic authentication by using the hit highlight feature.

KB-328832: Hit-highlighting does not rely on IIS authentication
http://support.microsoft.com/kb/328832

QUOTE: We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users