Re: IIS vulnerability (MS06-034)
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 12 Jul 2006 21:27:22 -0700
I understood that issue to be exclusively limited to uploaded web content
that is then served with processing by the ASP isapi that in turn is caused
to throw the error allowing the code to escape from normal constraints
placed on the ASP isapi by IIS.
In that case, casual use of a site, such as OWA, that may use ASP but
that does not allow alteration of the ASP code would not be impacted.
However, patching is still advised as authoring might in the future become
possible, but that patching is perhaps not needed so urgently.
"AI" <AI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8AFC110F-FC4B-4107-953F-A534CBF2D19A@xxxxxxxxxxxxxxxx
Microsoft released security bulletin MS06-034, saying that there is a flaw
in
ASP that could allow remote code execution. It's not clear to me from
this
bulletin whether the exploit could only be used if the IIS server hosts a
web
site that allows the user to upload files that IIS will execute, or
whether
this can be done through web forms. For example, would an OWA server be
affected? Users can submit data through web forms, and they can upload
files
as attachments, but not for processing as a script.
This bulletin on the one hand describes a vulnerability that, if I
understand correctly, would be exposed only in very rare case, but the
tone
of the bulletin makes it sound like every IIS server is vulnerable and
needs
to be patched.
.
- Prev by Date: Re: Folders loosing inherited permissions (win 2k3 sp1)
- Next by Date: Re: Folders loosing inherited permissions (win 2k3 sp1)
- Previous by thread: Folders loosing inherited permissions (win 2k3 sp1)
- Next by thread: Looking for a software firewall for W2K3 that does IP filtering
- Index(es):
Relevant Pages
|
|
