Microsoft publishes guide to hacking IIS 5.0
A Microsoft Knowledge Base article on a vulnerability in its Internet Information Server (IIS) 5.0 is causing disquiet among security specialists, as the article includes a guide on how to reproduce the problem - essentially a guide to exploiting the vulnerability. Such comprehensive information on vulnerabilities is normally much desired in order to be able to make a better risk assessment and test security measures.
In this case Microsoft has abandoned its calls for responsible disclosure and has published the information with neither a patch nor a workaround available. Instead the Redmond based company recommends updating to IIS 6.0 to resolve the problem. This also requires an update to Windows Server 2003, which involves a certain degree of financial expenditure which many users will surely not be prepared to make. Microsoft has since removed the six point guide from the article - the original version can, however, still be found in the Google cache.
The vulnerability in the hit-highlighting feature described by Microsoft allows certain content access restrictions to be circumvented allowing protected information to be accessed or files to be downloaded. Deleting the link to .htw files should prevent attackers from exploiting the vulnerability. Alternatively access to .htw can be regulated using the URLScan filter.
- Hit-highlighting does not rely on IIS authentication, Knowledge Base article from Microsoft
- IIS 5.0 authentication bypass exploit -- CVE-2007-2815, ISC blog entry