Alert Details - Security Center - Cisco Systems:
Serious new flaw found in IIS 6.0 | threatpost:
Microsoft Internet Information Services (IIS) version 6.0 contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information.
The vulnerability is due to improper processing of Unicode characters in HTTP requests. An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious HTTP request to the system. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system.
Exploit code is available.
Microsoft has not confirmed this vulnerability and updates are not available. Only systems that have WebDav enabled are affected by this vulnerability.
So translation as a SBSer who may still have IIS6 on SBS 2003 boxes am I screwed? First question is do I have WebDAV enabled? Let’s see shall we? It has to be installed and to install it one has to go into add/remove components under IIS….
And the answer is….
It’s not installed. So if it’s not installed…. we are not at risk.
Next go into the IIS console and see on the Web service extensions… is WebDAV allowed?
Not installed, not allowed, doesn’t impact default SBS 2003 boxes.