IIS 6 affected with 'security issue with semi-colons in URL', admit Microsoft

Microsoft reports that we’ve “found there’s no vulnerability in Internet Information Services (IIS). However, there’s an inconsistency in IIS 6 only in how it handles semicolons in URLs. The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges […]

Microsoft reports that we’ve “found there’s no vulnerability in Internet Information Services (IIS). However, there’s an inconsistency in IIS 6 only in how it handles semicolons in URLs. The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on same directory. This’s not the default configuration for IIS and is contrary to all of our published best practices. IIS server configured in this manner is inherently vulnerable to attack. Customers using IIS 6.0 in default configuration or following best practices don’t need to worry about this issue. For those, running IIS in a configuration that allows both “write” and “execute” privileges on same directory, should review best practices and make changes to better secure your system from the threats that configuration can enable,” writes MSRC blog.

Resources and best practices for securely configuring IIS servers:

More info: IIS blog

About The Author

Deepak Gupta is a IT & Web Consultant. He is the founder and CEO of diTii.com & DIT Technologies, where he's engaged in providing Technology Consultancy, Design and Development of Desktop, Web and Mobile applications using various tools and softwares. Sign-up for the Email for daily updates. Google+ Profile.