The following US-Cert announcement pertains to IIS 6, which most commonly can be found running on Windows Server 2003, and Windows XP Professional x64 edition.
“US-CERT Current Activity
Microsoft Internet Information Services (IIS) WebDAV Request Vulnerability
Original release date: May 18, 2009 at 8:54 am Last revised: May 18, 2009 at 8:54 am
US-CERT is aware of public reports of a vulnerability affecting Microsoft Internet Information Services 6 (IIS6). Reports indicate that this vulnerability is due to improper handling of unicode tokens.
Exploitation of this vulnerability may allow a remote attacker to bypass authentication methods, allowing an attacker to upload files to a WebDAV folder or obtain sensitive information. US-CERT is also aware of publicly available exploit code and active exploitation of this vulnerability.
US-CERT encourages users to implement the following workaround to help mitigate the risks until a patch or update is available from the
vendor: Disable WebDAV. Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing “Translate: f” headers. Please note that disabling WebDAV may affect the functionality of other applications such as SharePoint.
US-CERT will provide additional information as it becomes available.
====
This entry is available at
http://www.us-cert.gov/current/index.html#microsoft_internet_information_services_iis“
