Microsoft reports that we’ve “found there’s no vulnerability in Internet Information Services (IIS). However, there’s an inconsistency in IIS 6 only in how it handles semicolons in URLs. The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on same directory. This’s not the default configuration for IIS and is contrary to all of our published best practices. IIS server configured in this manner is inherently vulnerable to attack. Customers using IIS 6.0 in default configuration or following best practices don’t need to worry about this issue. For those, running IIS in a configuration that allows both “write” and “execute” privileges on same directory, should review best practices and make changes to better secure your system from the threats that configuration can enable,” writes MSRC blog.
Resources and best practices for securely configuring IIS servers:
- IIS 6.0 Security Best Practices
- Securing Sites with Web Site Permissions
- IIS 6.0 Operations Guide
- Improving Web Application Security: Threats and Countermeasures
More info: IIS blog