Hackers Circle Microsoft Server Software Flaw | eWeek

Hackers Circle Microsoft Server Software Flaw

Verfasst von
Brian Prince
Brian Prince
May 19, 2009
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Exploit code for a vulnerability in Microsoft’s Internet Information Services software is circulating around the Web, leaving organizations in search for ways to keep hackers at bay.

According to US-CERT, attacks leveraging the vulnerability are already under way, though Microsoft said in an advisory it was unaware of any exploits. Still, US-CERT urged users waiting for a patch to consider disabling WebDAV.

For administrators unable to do so, US-CERT recommends reconfiguring the software to block attacks.

“Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing ‘Translate: f’ headers,” according to the US-CERT advisory.

The problem lies in the way the WebDAV extension for IIS handles HTTP requests. Armed with a specially crafted HTTP request to a Website that requires authentication, a hacker can exploit the vulnerability to win unauthorized access to protected resources.

“The vulnerability occurs because the WebDAV extension does not properly decode the requested URL,” according to Microsoft. “This causes WebDAV to apply an incorrect configuration when handling the request. If the applied configuration allows anonymous access, a malicious request can bypass authentication.

“Note that IIS would still process such a request in the security context of the configured anonymous user account,” the advisory continued. “Therefore, this vulnerability cannot be used to bypass NTFS ACLs. The restrictions imposed on the anonymous user account by file system ACLs will still be enforced.”

Only a specific configuration of IIS is at risk from the vulnerability, which may serve as an additional mitigation for the threat. The vulnerability is only at play if an IIS 5, 5.1 or 6.0 Web server is running with WebDAV enabled, the IIS server is using IIS permissions to restrict a subfolder of content to authenticated users, and file system access is granted for the restricted content to the IUSR_[MachineName] account. In addition, a parent folder of the private subfolder must allow anonymous access.

Also, the Windows Server 2003 IIS (Version 6) shipped with WebDAV disabled by default, Microsoft officials said.

Microsoft did not say whether or not the company would issue an out-of-band patch for the vulnerability. The next scheduled security release is June 9.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.