System administrators should be prepared: a bug in the authentication feature provided by the WebDAV module could allow access to otherwise confidential information. Waiting for an update, here come the temporary remedies.
Could lead to unpleasant consequences indeed the new flaw found in Web server, Microsoft announced late on Monday.
According to what we read in the advisory issued by the company, located a bug in the authentication features offered by the Internet Information Services (IIS) could allow a remote user to overcome the authentication request, thereby ensuring access to information in protected folders.
The bug is located in the extension of IIS and WebDAV, says the report, could be exploited by simply sending an HTTP request to the server packaged specifically to leverage weakness.
To mitigate the danger of the problem, however, involved three important factors: First, the problem does not allow you to bypass the control of any access control lists (ACLs) set to the file system level. Also by default, the anonymous account through which you can access does not have write privileges, thus limiting the risk to the theft of information, but not change them. Finally, the WebDAV module is not enabled by default on IIS 6, although it is almost customary for the majority of the directors to make these features available.
Are affected versions 5.0 (Windows 2000), 5.1 (Windows XP) and 6.0 (Windows Server 2003) Internet Information Services. The "7.0", included in Windows Server 2008 and Windows Vista (Business edition, Enterprise and Ultimate) but seems to be immune. No information was released about 7.5 instead which supports Windows Server 2008 and Windows 7, but it is estimated that, based on the same code as above, is in turn protected.
Microsoft, however, reassures its customers: the time has not yet been reported aggression based on the new problem. However, the details of the flaw appear to have been publicly announced, increasing the risk that someone could create an exploit before the availability of the functional patch.
The update could not get it for some time: the monthly Microsoft security bulletin was issued Tuesday last week, and the next will not arrive before 9 June.
The official blog of the Microsoft Security Research & Defense has published an interesting post with more details on the problem, and various countermeasures that can be taken in the fix attessa Journal.
See Pictures and Read more : Internet Information Services: protected folders are at risk
ไม่มีความคิดเห็น:
แสดงความคิดเห็น