Internet Information Service (IIS) - Remote hacker automatic data theft
Version: | At least version 5.0 |
Technical Details: | Internet Information Service (IIS) is vulnerable to an authentication bypass attack that can be carried out by targeting the hit highlight feature of the software. By targeting a file that doesn't exist, then using features of the hit highlight feature, it is possible for an attacker to bypass the basic authentication protection. |
Description: |
Microsoft's web server software (IIS) has been found to be vulnerable to an attack that will allow a remote attacker to bypass the basic authentication settings. This could be used by a remote attacker to gain access to sensitive areas of hosted sites, potentially allowing for reconfiguration of the server or leverage of other vulnerabilities within the site software. |
Mitigation: |
Consider upgrading to IIS 6.0 or later, or consider installing and running an alternative web server (such as Apache). |
Updates: |
http://support.microsoft.com/kb/328832 |
Source: |
http://support.microsoft.com/kb/328832 |
Exploits: |
http://milw0rm.com/exploits/4016 |
External Tracking Data: | CVE-ID: CVE-2007-2815 |
Social bookmark this page