Password Bypass Bug in Microsoft IIS Version 6.0

Password Bypass Bug in Microsoft IIS Version 6.0

A WebDAV vulnerability in Microsoft's Internet Information Server 6.0 (IIS) enables attackers to gain access to password-protected files and directories controlled by the web server. Attackers can also use the exploit to upload and download files to the server. The attack exploits a flaw in the processing of Unicode characters added to a web address.
WebDAV is not enabled by default on IIS 6.0. Web administrators are urged to temporarily disable WebDAV until the issue is addressed. A spokesperson from Microsoft said "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," but the US-CERT team are reporting "active exploitation" of the bug.