Microsoft confirms flaw in WebDAV in IIS

Microsoft has confirmed the reported vulnerability in the WebDAV implementation in IIS 5.0, 5.1 and 6.0, saying that the flaw could be used to bypass the authentication mechanism on the Web server. However, the company said that there are a number of mitigating factors involved and that company security officials have not seen any attacks against the weakness so far.

Microsoft officials said that the vulnerability is mitigated by several things, including the fact that WebDAV is not enabled by default on IIS 6.0. However, the WebDAV protocol is widely used to share documents and information on Web servers. Normally implemented access control lists (ACLs), which prevent users from accessing files that they do not have permission to access, also would limit the damage of an attack.

The company also said that the vulnerability affects versions 5.0 and 5.1 of IIS, along with 6.0, which was the version that had been reported to be vulnerable originally. The most effective workaround until a patch is available is to disable WebDAV.