Thursday, June 7, 2007 
Saying that an Internet Information Server exploit is <A HREF="http://www.eweek.com/article2/0,1895,2141587,00.asp?kc=EWKNLNAV060507STR2">due to a feature, not a flaw,</A> Microsoft has published exploit code for the flaw but no workaround or patch. (Microsoft has removed the exploit code since this story first posted, saying that it was posted inadvertently.)
The exploit, which was discovered on Dec. 15, 2006, and made public at the end of May, works against IIS 5.x. By design, versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorized user to grab documents to which he or she has no privileges.
Recent Articles
-
Why a server-based anti-spam solution might be a good idea
-
Hosted email security with GFI MailEssentials Complete Online
-
Send your holiday emails from Outlook while keeping that personal touch
-
Welcome to the ZATZ Studio
-
Video: SmartSchedules can overcome some of Outlook’s limitations
-
Open question: what would you like to see us cover?
-
How the Epsilon breach might cause real security problems
-
Status report: migrating ZENPRESS to a new platform
From Our Sponsor
