IIS7 (distributed with Server 2008) is not affected.
IIS6 (distributed with Server 2003) is not affected in its default configuration. It is only affected if WebDa has been installedand configured.
The vulnerability allows the attacker to bypass security mechanisms and access otherwise protected resources as anonymous user. As this uer by default does not have write access the attacker will not be able to write files on the server, unless the admin has granted rights to anonymous (which would be really stupid).
It is unclear if the attacker can execute e.g. aspx pages or merely read files.
In the first case it could be really bad for a lot of sites, as pages typically do allow users to change something.
In the latter case the attacker may be able to snoop on configuration files. Which may also be bad if he can learn SQL server passwords etc. that way (ASP.NET allows the "connection string" section to be encrypted as a production best practice which would mitigate this).
Discussion on:
Message 8 of 1
IBM Sponsored Resources
Resources from our Sponsor
- Oracle Exadata vs IBM: Netezza Compared
- Forrester TEI Report
- CIA Whitepaper
- Harnessing the Power of Advanced Analytics
- Tapping into Unleashed Business Potential with Advanced Analytics
- Unlock Analytic Performance with Revolution R for Enterprise and IBM: Netezza Data Warehouse Appliance
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
