Monday, June 4, 2007

IIS 5.0 authentication bypass exploit

A recently discovered (Dec 2006) IIS 5.0 exploit raises the bar for you to secure your web servers.

Actually, the most interesting aspect to this issue is that Microsoft has not released a patch to correct the exploit, but instead is showing the world how the exploit works and using it as a scare tactic to get you to upgrade to IIS6 (Windows 2003 server). Check this out:

IMHO, this is yet another shameless cheap shot by Microsoft to push you into an upgrade. They actually show you how to use the exploit but offer no solution except to strongly recommend upgrading.

The cheap fix for those running IIS5 is to use URLSCAN and make sure you are blocking the .htw extension.
.htw is the webhits extension which is not widely used so unless you have a specific need for it, block it by running the IIS LockDown Tool and make sure you enable URLScan during install. I believe that .htw is blocked in most template installs but you should check the urlscan.ini after install to make sure.

For more info on the exploit, see the SAN alert here:

No comments: