« Microsoft bans Memcpy() in their SDL program | Main | Java Flaw still not fixed in Mac OS X »

IIS6.0 WebDav Unicode Remote Auth Bypass

Update: Microsoft has posted some additional information in multiple entries.

A new unicode bug in IIS has been discovered which allows an attacker access to resources behind password protected sites. This issue only seems to affect IIS 6 (5 and 7 seem immune) and no fix has been issued at this time.

Advisory: http://seclists.org/fulldisclosure/2009/May/att-0134/IIS_Advisory_pdf
Overview: http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

yeah the bug has been already posted in many websites including milwr0m