We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.
The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.
As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.
Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.