In adressing an IIS 5 bug (CVE-2007-2815), the Microsoft Knowledge Base article #328832 went a step further in presenting the conditions needed to reproduce the issue: they provided step by step instructions to what is basically an exploit of the vulnerability Nice.

To make matters worse, the only fix suggested by Microsoft is to upgrade to IIS 6.0 because the status of this vulnerability is :

STATUS
This behavior is by design.

The KB article has been updated and the step by step instructions were  removed. However, Google cache still has a copy of this :

1. In IIS 5.0 Service Pack 2 (SP2), create a folder named Dir1 in the Web site root (for example, C:\Inetpub\WWWRoot).
2. Create a file named File1.txt in Dir1, put some text in the file, and then save the file.
3. Set the authentication on the Web root folder in IIS to Anonymous authentication.
4. Set access in IIS to the Dir1 folder to Basic authentication only.
5. Using Anonymous authentication, open /Dir1/File1.txt. You receive an "Access Denied" error message.
6. Using Anonymous authentication, open the following URL (where null.htw represents your hit-highlighting file):
/null.htw?CiWebhitsfile=/dir1/file1.txt&CiRestriction=none&CiHiliteType=full

This will be successful.
In this case, the user can see the File1.txt file even when the user cannot be authenticated by IIS and cannot otherwise retrieve the file.

Note For steps 3 and 4, you can use IP address restriction to restrict the file.

It would be interesting to watch the logs for
/null.htw?CiWebhitsfile=/dir1/file1.txt&CiRestriction=none&CiHiliteType=full

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!