• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0

MS IIS 5.x exploit released

1 post in this topic



- http://isc.sans.org/diary.html?storyid=2915

Last Updated: 2007-06-03 11:07:48 UTC ~ "...The exploit was discovered on December 15, 2006, and made public since the end of May 2007. The design of IIS 5.x allows to bypass basic authentication by using the hit highlight feature. Microsoft's response seems to be a bit atypical for them as it includes a section on how to reproduce the exploit. In other words: Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around. And that patch is lacking. Their only defensive advice is to upgrade to IIS 6.0. Since this means that you would also need to upgrade the windows 2000 or XP to Windows 2003, and that such an upgrade isn't free, nor easy. So what do we do when Microsoft does not give any advice but to upgrade to IIS 6.0 ? Let's look at alternatives. Feel free to write in if you know more effective alternatives:

* Most probably there is a way to remove something or change some registry setting to prevent this, unfortunately exactly what is neither documented nor validated.

* Try to use application level firewalls (filters), while they aren't the easiest to configure considering all the ways URLs can be encoded, it's something that might help for a while, but getting it fully right will be a pain. If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.

* Upgrade to apache or another web server, with or without a (cross) upgrade of the OS.

* Scramble an upgrade to Windows 2003, potentially on more potent hardware...


- http://support.microsoft.com/kb/328832

Last Review: April 23, 2007

Revision: 4.0

"...We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003..."


- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2815

CVSS Severity: 10.0 (High)

Range: Remotely exploitable



Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0