Microsoft confirms IIS hole - The H Security: News and Features

Microsoft has confirmed the security hole in its IIS web server, but hasn't disclosed which versions of the product are affected. According to the finder of the "semi-colon bug", versions up to and including version 6 are vulnerable. The hole allows attackers, for instance, to camouflage executable ASP files as harmless JPEG files and upload malicious code to a server.

Microsoft confirms IIS hole - The H Security: News and Features

Well thanks. Something is wrong with one of the IIS, but we can't know which one yet.

Luck for us we can get better information

Secunia has confirmed the vulnerability “on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected”.

Secunia has confirmed the vulnerability

Looks like a serious bug with he standard configuration of Windows Server.  Probably good reason to move to Window 2008 Server with IIS 7, but I have not been able to confirm that this is NOT impacted as well.

Blogged with the Flock Browser