MS IIS6 Virus Compromises Password-Protected Files

Dennis Faas's picture

Security officials are asking administrators to proceed with caution when using Microsoft's Internet Information Services (IIS) Version 6, after it was learned that some of the services were vulnerable to attacks. These potential attacks could reveal encrypted folders and documents without requiring a password.

Internet Information Services are a set of Internet services for Microsoft-created servers. IIS accounts for the second most popular web servers (behind the Apache HTTP Server) in terms of overall websites in use.

One Slash Changes Everything

The compromised password-protected documents are filed under "". The restricted folder might carry the following command line using an HTTP GET command: GET /..%c0%af/protected/ HTTP/1.1 Translate: f Connection: close Host: servername.

What happens is that the portion of the preceding line "%c0%af" is converted to a simple "/" or slash. When this occurs, IIS6 recognizes the entire command as a valid file path. IIS6 retrieves and then sends out the desired file to an attacker without first asking for a password or security code. (Source:

If privacy infringement is not bad enough, consider that hackers can also manipulate the command line to upload malicious viruses and malware to secure areas of the server.

Microsoft Not Concerned

While the news is expected to be devastating for Microsoft, the company has responded with little urgency, stating that they have received no reports of an attack to date, signaling that the threat is all theoretical thus far. (Source:

The U.S. Computer Emergency Readiness Team (CERT) disagrees with Microsoft, claiming that there is sufficient evidence to suggest that the virus is in the midst of "active exploitation." In fact, WebDAV, a set of extensions to the HTTP that allows users to edit and manage files on remote World Wide Web servers, is being temporarily disabled due to the prospect of attacks.

This is not the first time IIS has been compromised because of a potential virus. A similar bug crept onto IIS versions 4 and 5 in 2001, though no other services have been compromised since then. (Source:

The glitch is ranked three on a five-point severity scale, which has security officials calling it a "moderately critical" virus. As it stands, IIS6 is the only version susceptible to attack.

Rate this article: 
No votes yet